[Solved] how does access to folders in restricted paths work ?

Lone_Wolf · 2024-09-14 11:08:19

Scenario

user1 has folder foo1 under their home folder with full path /home/user1/foo/foo1 .

Members of grp1 need read access to foo1 but are not allowed to access anything else in user1 home.
user1 is NOT a member of grp1 .

root uses chgrp / chmod to set grp1 as group with read access for foo1 .

It order to access foo1, grp1 members have to access /home/user1/foo/foo1 but two of the folders in that path are blocked off completely for them.

Does linux/unix only check the full path to determine whether access is allowed or is there another mechanism involved ?

Last edited by Lone_Wolf (2024-09-28 18:51:51)

seth · 2024-09-14 12:39:26

The relevant bit to access/traverse a directory is the exec one.
You're not supposed to be able to enter a directory if you lack execution rights to any directory in the path.
A way around this is to bind-mount the target directory into an accessible path.

cryptearth · 2024-09-14 12:41:21

what you try to solve?
I can't come up with any real world scenario in which your one would occur

seth · 2024-09-14 12:56:17

Data sharing in a selected path under control of a user - it's a natural instinct to try to bury that in $HOME but of course you don't want to reveal your porn collection
Hence the bind-moint into a public path.

Lone_Wolf · 2024-09-14 14:16:00

The new dedicated download user in pacman 7 that needs access to local repos reminded me of a (windows) usecase I participated in about 15 years ago .

A high level executive needed to share some sensitive data with select employees that worked in production .

A few months before the shared drive used in the company was found to allow almost every employee to see everything on it.
The executive had stopped using the shared drive , and relied on other channels like paper//phycisal contact etc instead.

Foir one specific set of data this was not doable, so a digital solution was needed.
One of the requirements for the solution was that only a small number of users/systems was allowed access and all of them were personal systems.

Before the solution was decided on I had left the company and never found out how this was implemented.

seth wrote:

Data sharing in a selected path under control of a user

Good description, although it wasn't porn in this case.
Removing undesired files (over 50% was porn) was one of my subtasks in that job.

cryptearth · 2024-09-14 15:20:15

why not create a new folder outside of home, set it to root:grp1, give it 770 permission and add the users to the group? I guess trying to break the sandbox of home which is designed for noone else to have access to is the wrong idea and sounds flawed by design

seth · 2024-09-14 19:47:46

The main reason typically is that some process has the data path more or less hardcoded, so you'll need to keep the stuff in ~/.local/share/foo and not everything can properly handle symlinks (eg. users frequently come up with the genius idea to turn pacman-tracked dirs into symlinks to find them replaced w/ directories with every update.

As long as there's no specific case but just general interest in "what's required to access a path", the question "why is the approach stupid itfp" doesn't really matter - you /can/ come up with a scenario where some random path won't work and the generic, surefire solution to such situations is a bind-mount.

Trilby · 2024-09-14 20:01:28

Lone_Wolf wrote:

Removing undesired files (over 50% was porn)...

So how much under 50% was the remaining undesired stuff?

cryptearth · 2024-09-15 06:42:11

looks related: https://bbs.archlinux.org/viewtopic.php?id=299418

Lone_Wolf · 2024-09-15 11:17:53

I agree, a local repository in home folder not being accessible for download user does iook like a speciifc case of the issue discussed here.

Atm it seems accessing a folder requires traversing rights (x flag on directory entries) for all directories in the path.
Do x flags on directories allow listing the contents of a folder ?

Bind mounts can be used to allow accessing a specific folder without have to traverse directories above the folder .
This looks like an improvement, but is it secure enough ?

Back to the example.
let's assume there's a bind mount to foo1 for members of grp1 .
Can members of grp1 use commands like cd .. to gain access to the folder foo ?
If so, what could they do with this access ?

I did notice there's also something called pam_mounts, could that help ?

slightly offtopic

Trilby wrote:

Lone_Wolf wrote:
Removing undesired files (over 50% was porn)...
So how much under 50% was the remaining undesired stuff?

It varied between users, but for atleast one it was 1% of the space taken was work related files, 99% for rare porn.
That user was apparently a collector and used company storage as backup. They did state there was nothing illegal in the files and they owned the originals.

A week later the files were gone completely and no other action was taken..

ua4000 · 2024-09-15 11:35:29

cryptearth wrote:

why not create a new folder outside of home, set it to root:grp1, give it 770 permission and add the users to the group? I guess trying to break the sandbox of home which is designed for noone else to have access to is the wrong idea and sounds flawed by design

I propose to do it more standard:
create a 3rd user, with an own home, no login possible.
Only purpose of this user is to share it's home folder and group-id data to user 1 + 2.

cryptearth · 2024-09-15 11:57:55

btw - turns out I do also have such a case - but rather somewhat backwards?

I use ZFS and the root-dataset of my pool doesn't have a mountpoint set
a sub-dataset has a mountpoint within my home folder
as I also play around with libvirt my home folder has additional ACL set:

[main@main ~]$ getfacl .
# file: .
# owner: main
# group: main
user::rwx
user:libvirt-qemu:--x
group::---
mask::--x
other::---

with a folder on the zfs dataset mounted inside my home for qemu/libvirt images

[main@main ~]$ ls -alFh vault/virt/
insgesamt 14G
drwxr-xr-x  2 main         main           14 16. Jun 22:57  ./
drwxr-xr-x 26 main         main           29 15. Sep 09:05  ../
-rwxrwxrwx  1 libvirt-qemu libvirt-qemu 1,6G 14. Sep 2012   KB3AIK_DE.iso*
-rw-r--r--  1 main         main         1,5M 15. Jan 2024   patcher9x-0.8.50-boot.ima
-rw-r--r--  1 main         main         7,3G  4. Jun 17:21  steamdeck-repair-20231127.10-3.5.7.img
-rw-r--r--  1 libvirt-qemu libvirt-qemu 160M  9. Jan 2024   virtio-win-0.1.130.iso
-rw-r--r--  1 libvirt-qemu libvirt-qemu 308M  9. Jan 2024   virtio-win-0.1.160.iso
-rw-r--r--  1 libvirt-qemu libvirt-qemu 376M  9. Jan 2024   virtio-win-0.1.173.iso
-rw-r--r--  1 libvirt-qemu libvirt-qemu 479M  9. Jan 2024   virtio-win-0.1.190.iso
-rw-r--r--  1 libvirt-qemu libvirt-qemu 599M  9. Jan 2024   virtio-win-0.1.240.iso
-rwxrwxrwx  1 libvirt-qemu libvirt-qemu 1,3G 11. Feb 2017   waik_supplement_de-de.iso*
-rwxrwxrwx  1 libvirt-qemu libvirt-qemu 4,4G 12. Sep 2019   WIN7ULTIX64120919.iso*
-rwxrwxrwx  1 libvirt-qemu libvirt-qemu 3,8G 13. Okt 2008  'WIN AIO DE.iso'*
-rw-r--r--  1 libvirt-qemu libvirt-qemu 163M 15. Mai 00:40  winpe31.iso

the permissions were set (and get auto re-set) by virt-manager whenever I access one of those images

so - libvirt-qemu gets an additional X to access the mount point within my home directory - interesting - I guess I should create another dataset mounted somewhere outside my home and move the images there

stefan · 2024-09-15 12:24:49

Just my two cents:

The x-bit on a directory means that you’re allowed to use that directory in a path to a file.

$ ls -ld /tmp/foo/
drwx--x--- 2 root users 100 Sep 15 13:51 /tmp/foo/

I cannot list (read) the directory foo

$ id
uid=1000(sk) gid=984(users) groups=984(users)
$ ls -l /tmp/foo/
ls: cannot open directory '/tmp/foo/': Permission denied

But I may use it to access a file therein, given I knew it existed:

$ ls -l /tmp/foo/a
-rw-r--r-- 1 root root 33 Sep 15 13:52 /tmp/foo/a

$ cat /tmp/foo/a
Sun Sep 15 01:52:25 PM CEST 2024

$ cat /tmp/foo/x
cat: /tmp/foo/x: No such file or directory

You can even use it as PWD:

$ cd /tmp/foo
$ l
ls: cannot open directory '.': Permission denied

I would not want to rely on obscurity for security.

Something else often forgotten: There’s no fallback to a “lesser” category, should you not get the bit from “higher” one. I.e., the group-bits are only relevant if you are not the owner, and the other’s bits are only relevant if you are neither owner nor in the group:

d---rwx--- 2 sk   users 100 Sep 15 13:51 /tmp/bar

User sk would not have any access bits on /tmp/bar, even if being a member of `users. By the same mechanics, you may lock out all members of one particular group. Yes, this is awkward:

# groupadd loosers
# mkdir /tmp/qux
# chmod 707 /tmp/qux/
# chown root:loosers /tmp/qux/

# ls -ld /tmp/qux
drwx---rwx 2 root loosers 40 Sep 15 14:03 /tmp/qux

$ date >/tmp/qux/lala
$ ls -l /tmp/qux/
total 4.1k
-rw------- 1 sk users 33 Sep 15 14:05 lala

# usermod -a -G loosers sk

$ id   # after new login!
uid=1000(sk) gid=984(users) groups=984(users),1000(loosers)
$ ls -l /tmp/qux
ls: cannot open directory '/tmp/qux': Permission denied

In your example, you specifically said that “user1 is NOT a member of grp1”, so in order to offer members og grp1 any access to /home/user1/foo/foo1, there are two options:

user1 is not a member of the group assigned to his home directory. This feels wrong, but I cannot come up with an example of why.

the x-bit of /home/user1 must be set for all others. So everyone can probe for the presence of files in that user’s home. Don’t know if this is an issue:

$ ls -ld /tmp/bar
drwx---r-x 2 root root 60 Sep 15 14:16 /tmp/bar
$ ls -ld /tmp/bar/a
-rw------- 1 root root 0 Sep 15 14:16 /tmp/bar/a
$ ls -ld /tmp/bar/b
ls: cannot access '/tmp/bar/b': No such file or directory

I’d feel unhappy about both of them.

I would refrain from making directories below $HOME to be accessible by anybody. But this may be a bit harsh.

Last edited by stefan (2024-09-15 12:26:37)

seth · 2024-09-15 14:33:02

Lone_Wolf wrote:

Bind mounts can be used to allow accessing a specific folder without have to traverse directories above the folder .
This looks like an improvement, but is it secure enough ?
Back to the example.
let's assume there's a bind mount to foo1 for members of grp1 .
Can members of grp1 use commands like cd .. to gain access to the folder foo ?

Not unless you just found a kernel bug. A bind mount is like a normal mount except the mounted device is another directory.
It also allows you to mount it read-only (so while /srv/foo and ~/.myserver/foo always hold the same files, /srv/foo cannot be used to write into that directory by anyone)

stefan wrote:

I would refrain from making directories below $HOME to be accessible by anybody.

+100
Maintaining access control once you opened that box is tedious and at some point you'll make a mistake. Don't.

Lone_Wolf · 2024-09-17 12:20:07

Can we conclude that giving access to foo1 in this scenario is possible but a bad idea and should be avoided ?

The safest method seems to be
- create foo1 outside of $HOME in a location that is visible to anyone, like /foo1 .
- set permissions on /foo1 so only those that need it can enter/access it

seth · 2024-09-17 13:07:58

You can either move the directory or bind-mount it to a different location where the 2nd option has the benefit that you can turn it read-only and only the user w/ access to the primary path has write permissions. At the end of the day this comes down to needs. Do you actually need a public directory and putting it into someone's $HOME was just a stupid idea or do you need/want that to belong to the owner of the $HOME and just grant access to everyone else.

sudo touch /snafu
sudo chown $USER:$USER /snafu
stat /snafu # belongs to me, so let's clean up…
rm /snafu # womp-womp

stefan · 2024-09-17 17:09:52

Lone_Wolf wrote:

The safest method seems to be
- create foo1 outside of $HOME in a location that is visible to anyone, like /foo1 .
- set permissions on /foo1 so only those that need it can enter/access it

Yes, I’d say so.

You could bind-mount, as Seth suggests. Or you could have a symlink in the user’s $HOME, pointing to the real location.

0750  user1:grp1   /usr/local/share/foobar
0700  user1:users  /home/user1
0777  user1:users  /home/user1/foobar -> /usr/local/share/foobar

In this example, users is the primary group of user1, but you may also have an extra group for each user (I just don’t happen to do it that way, should be irrelevant here). The mode (0777) is irrelevant on symlinks.

For the placement in /usr/local/share: See Filesystem Hierarchy Standard, a side quest that likely escalates into a rabbit hole…

I was wondering: Is there any reason why the directory has to be in user1’s $HOME, or why a symlink is not appropriate? If not, symlink is probably easiest.

Cheers Stefan

seth · 2024-09-17 18:33:44

On what filesystem did this work?

cd /tmp
sudo mkdir -p only4dad/porn
sudo chmod 777 only4dad/porn
sudo chmod 700 only4dad
ln -s only4dad/porn porn4all
cd porn4all # womp-womp
sudo ln -s only4dad/porn porn4all
cd porn4all # womp-womp

You're not supposed to be able to break through access restrictions w/ symlinks.

Fixxer · 2024-09-17 20:29:45

Lone_Wolf wrote:

- set permissions on /foo1 so only those that need it can enter/access it

Yes, I've tested now this scenario (owned by user, the same group): /srv/repo 0750

Next I've applied ACL for alpm group (without -R switch):

setfacl -m g:alpm:r-x repo

Directory in ~/repo called packages is symlink to /srv/repo:

~/repo/packages -> /srv/repo

PKGDEST= variable in ~/.config/pacman/makepkg.conf was set to /srv/repo.

All works good.

Last edited by Fixxer (2024-09-17 20:31:10)

seth · 2024-09-17 20:32:33

If the realpath is the public one, what's the point of the symlink in $HOME?

Fixxer · 2024-09-17 20:35:29

Only for cohesion and convienence:

tree -d repo
repo
├── build
├── packages -> /srv/repo
├── sources
└── srcpackages

Lone_Wolf · 2024-09-28 18:51:04

I feel this thread has more then enough info to consider my question solved.

For those wondering why foo1 was under user $home in the question or why user was not a member of grp1

The usecase that triggered me to ask the question had a very hard additional requirement : change as little as possible.

Arch Linux

#1 2024-09-14 11:08:19

[Solved] how does access to folders in restricted paths work ?

#2 2024-09-14 12:39:26

Re: [Solved] how does access to folders in restricted paths work ?

#3 2024-09-14 12:41:21

Re: [Solved] how does access to folders in restricted paths work ?

#4 2024-09-14 12:56:17

Re: [Solved] how does access to folders in restricted paths work ?

#5 2024-09-14 14:16:00

Re: [Solved] how does access to folders in restricted paths work ?

#6 2024-09-14 15:20:15

Re: [Solved] how does access to folders in restricted paths work ?

#7 2024-09-14 19:47:46

Re: [Solved] how does access to folders in restricted paths work ?

#8 2024-09-14 20:01:28

Re: [Solved] how does access to folders in restricted paths work ?

#9 2024-09-15 06:42:11

Re: [Solved] how does access to folders in restricted paths work ?

#10 2024-09-15 11:17:53

Re: [Solved] how does access to folders in restricted paths work ?

#11 2024-09-15 11:35:29

Re: [Solved] how does access to folders in restricted paths work ?

#12 2024-09-15 11:57:55

Re: [Solved] how does access to folders in restricted paths work ?

#13 2024-09-15 12:24:49

Re: [Solved] how does access to folders in restricted paths work ?

#14 2024-09-15 14:33:02

Re: [Solved] how does access to folders in restricted paths work ?

#15 2024-09-17 12:20:07

Re: [Solved] how does access to folders in restricted paths work ?

#16 2024-09-17 13:07:58

Re: [Solved] how does access to folders in restricted paths work ?

#17 2024-09-17 17:09:52

Re: [Solved] how does access to folders in restricted paths work ?

#18 2024-09-17 18:33:44

Re: [Solved] how does access to folders in restricted paths work ?

#19 2024-09-17 20:29:45

Re: [Solved] how does access to folders in restricted paths work ?

#20 2024-09-17 20:32:33

Re: [Solved] how does access to folders in restricted paths work ?

#21 2024-09-17 20:35:29

Re: [Solved] how does access to folders in restricted paths work ?

#22 2024-09-28 18:51:04

Re: [Solved] how does access to folders in restricted paths work ?

Board footer