You are not logged in.

#1 2019-08-13 21:11:33

loqs
Member
Registered: 2014-03-06
Posts: 8,225

[SOLVED] When to use chmod 02750

I want to clarify my understanding of what chmod 02750 is doing and when it should be used after I read [1] which lead me to find [2] and [3]
My understanding is when the target is a file the leading 0 will be ignored,  2 will set the group id, 7 will set read + write + execute for user,  5 will set read + nowrite + execute for group,  0 will set noread + nowrite + noexecute
If the target is owned root:root the result would be:

  • owner root would execute the command with the effective group ID of root so in most cases would not have any effect.

  • group root executes with the effective group ID of root so in most cases would not have any effect.

  • other can not execute the file.

If the setgid is not having any effect could it be dropped leaving the privileges at 750?

If my understanding is correct this would seem an odd command to execute to harden an executable such as w or who.

[1] https://bbs.archlinux.org/viewtopic.php?id=247974
[2] https://github.com/grapheneX/grapheneX/issues/81
[3] https://github.com/grapheneX/grapheneX/ … .json#L255

Edit:
Consensus is never to use 02750

Last edited by loqs (2019-08-21 21:49:40)

Offline

#2 2019-08-13 22:11:43

seth
Member
Registered: 2012-09-03
Posts: 12,020

Re: [SOLVED] When to use chmod 02750

tl;dr: WTF??

This doesn't "harden" anything, you'd be elevating the effective GID at best (eg. if some ACL would allow the execution for other users or the user is in the "root" group, what's not exactly secure to begin with…)
Also the effective GID isn't the same as the effective UID, so turning 4755 into 2755 may have side effects and turning it into 2750 bears the same issues as the above.

Stuff like ping is handled via caps nowadays, any kind of elevation via sg-uid bits means to weaken it. (If anything, one could eg. put it in the wheel group and suid it, but this will still allow wheel users to run a complete UID0 process and take the feature from users…)

https://github.com/grapheneX/grapheneX/ … -517210388 seems to force you to run a single user OS? Why would one block /etc/profile reading??
This is all rather weird, is there any indication that the author (singular?) has even a remote idea what he's doing?

Did you ask him for his reasoning on this … this … whatever this is?

Offline

Board footer

Powered by FluxBB