@JordiGH https://bluetechs.files.wordpress.com/2014/03/advanced-programming-in-the-unix-environment-by-w-richard-stevens-stephen-a-rago-ii-edition.pdf see section 4.5, File Access Permissions.
@federicomena "The first rule is that whenever we want to open any type of file by name, we must have execute permission in each directory mentioned in the name, including the current directory, if it is implied."
Why is that?
And why do we require to open files to rename/delete/create them?
@federicomena "To delete an existing file, we need write permission and execute permission in the directory containing the file. We do not need read permission or write permission for the file itself."
C'mon, this is weird. Who came up with these rules?
I don't think anyone came up with them.
I think they must be a consequence of some implementation choice of the 1970s.
@JordiGH "Note that read permission for a directory and execute permission for a directory mean different
things. Read permission lets us read the directory, obtaining a list of all the filenames in the
directory. Execute permission lets us pass through the directory when it is a component of a
pathname that we are trying to access. (We need to search the directory to look for a specific
+r means "can you read the list of files", and +x means "can you access the files".
@JordiGH e.g. you can have a +r-x directory, and you'll be able to list its contents, but not open files in it.
Or you can have a -r+x directory, and you *can't* list its contents, but if you know the names of files inside it, you can open them just fine. This is an old trick for kinda-sorta-secret directories.
@federicomena So why can't I create a new name in that directory with +w-x?
It seems that if w is just about the names in that directory, I shouldn't need to access any files in that directory to add a new name to that directory.
@JordiGH Because with -x you can't access the directory entry that would be created for the new file.
I'm having a hard time looking in the kernel sources for just where this is implemented. Probably fs/namei.c:generic_permission(), but that calls into the capabilities code and I have no idea about that.
@JordiGH relatedly, if you have r-x on a directory but no w, you can modify a file in it, but not rename the file or create a new one.
@federicomena Of course, you don't need +r either, just -r-w+x lets you modify files and read them too.
But +r-w-x lets you read the names in that directory.
I can see how some of these cases might be useful, but overall this feels a lot like the PHP hammer.
@JordiGH maybe a combination of
* small installations with only a few trusted people, back in the 1970s
* having only a few bits, permissions make sense
* "let's reuse this bit because directories are special anyway"
* no capabilities, extra security foo developed yet?
¡Primer servidor de Mastodon de México!
Siéntete libre de unirte a esta instancia e invita a todos tus amigos a unirse, entre más gente haya más divertido
Lee atentamente las reglas aquí: /about/more
Si tienes problemas ó deseas reportar a algún usuario o instancia (spam, porno, insultos, etc.), contacta a @maop (aquí y en twitter)
NO SE ACEPTAN BOTS DE MARKETING. Se darán de baja todos los bots de marketing sin excepción y sin aviso