hi list,
i was wondering if if it's reasonable to disable root write access
for procfs,driverfs files (which have file permissions set to read
only)
looking at the variables exported to sysctl: if those have read-only
permission, they are intended to be read-only, even for root.
did i miss the point here? any comments?
thanks,
tm
--
in some way i do, and in some way i don't.
On Tue, 11 Jun 2002, Thomas 'Dent' Mirlacher wrote:
> hi list,
>
> i was wondering if if it's reasonable to disable root write access
> for procfs,driverfs files (which have file permissions set to read
> only)
It is never reasonable. Check what root can do with any file...
Script started on Thu Jun 13 08:56:22 2002
# >foo
# ls -la
total 12
drwxrwxrwx 2 root root 4096 Jun 13 08:56 .
drwxr-xr-x 24 root root 4096 Jun 13 04:09 ..
-rw-rw-rw- 1 root root 4 Jun 13 08:49 .811.117b9a
-rw-r--r-- 1 root root 0 Jun 13 08:56 foo
-rw-r--r-- 1 root root 0 Jun 13 08:56 typescript
# chmod 444 foo # File set to Readonly
# ls -la
total 12
drwxrwxrwx 2 root root 4096 Jun 13 08:56 .
drwxr-xr-x 24 root root 4096 Jun 13 04:09 ..
-rw-rw-rw- 1 root root 4 Jun 13 08:49 .811.117b9a
-r--r--r-- 1 root root 0 Jun 13 08:56 foo
-rw-r--r-- 1 root root 0 Jun 13 08:56 typescript
# ls -la >foo # Now, root can write to a readonly file.
# ls -la
total 16
drwxrwxrwx 2 root root 4096 Jun 13 08:56 .
drwxr-xr-x 24 root root 4096 Jun 13 04:09 ..
-rw-rw-rw- 1 root root 4 Jun 13 08:49 .811.117b9a
-r--r--r-- 1 root root 316 Jun 13 08:56 foo
-rw-r--r-- 1 root root 0 Jun 13 08:56 typescript
# cat foo
total 12
drwxrwxrwx 2 root root 4096 Jun 13 08:56 .
drwxr-xr-x 24 root root 4096 Jun 13 04:09 ..
-rw-rw-rw- 1 root root 4 Jun 13 08:49 .811.117b9a
-r--r--r-- 1 root root 0 Jun 13 08:56 foo
-rw-r--r-- 1 root root 0 Jun 13 08:56 typescript
# exit
exit
Script done on Thu Jun 13 08:57:06 2002
The ability for root to do anything, including ignoring file-permissions,
is not going to go away.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.18 on an i686 machine (797.90 BogoMips).
Windows-2000/Professional isn't.
dick,
> > i was wondering if if it's reasonable to disable root write access
> > for procfs,driverfs files (which have file permissions set to read
> > only)
>
> It is never reasonable. Check what root can do with any file...
yes, for the normal filesystem it's reasonable - procfs and driverfs
are a different thing. (if you want everyone just to read the value,
you mean everyone - even root)
procfs _does_ implement a check for that, it's only driverfs which doesn't
(for now) ... and i just wanted to know if there's a reason for that.
--snip/snip
> The ability for root to do anything, including ignoring file-permissions,
> is not going to go away.
it is gone already. (try to change /proc/version ;), also the capabilities
are there to not allow _everything_ for root (but that's not neccesarily an
fs issue)
thanks,
tm
--
in some way i do, and in some way i don't.