Skip to main content
Unix & Linux

Return to Question

Tweeted twitter.com/#!/StackUnix/status/604383859426357248
added relevant tags
Source Link
chaos
chaos
  • 49.3k
  • 11
  • 127
  • 147

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:groupuser:group to phil:philphil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:admphil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: 

What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: 

What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

added 11 characters in body
Source Link
ctrl-alt-delor
ctrl-alt-delor
  • 28.8k
  • 11
  • 66
  • 113

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shellfrom the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

added 4 characters in body
Source Link
Anthon
Anthon
  • 81.4k
  • 42
  • 174
  • 228

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r----- 1 root adm 69524 May 21 17:31 debug.1

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied```

If ```phil``` is added to the ```adm``` group, it can:
denied
```root@server

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014```

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:
2014
```nice

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"```

If the process is started as phil:adm, it can read the file:
"process"
```nice

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"```

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?"process"

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r----- 1 root adm 69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

cat: debug.1: Permission denied```

If ```phil``` is added to the ```adm``` group, it can:

```root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014```

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

```nice -n 19 chroot --userspec phil:phil / sh -c "process"```

If the process is started as phil:adm, it can read the file:

```nice -n 19 chroot --userspec phil:adm / sh -c "process"```

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

This is something I haven't been able to find much info on so any help would be appreciated.

My understanding is thus. Take the following file:

-rw-r-----  1 root        adm   69524 May 21 17:31 debug.1

The user phil cannot access this file from the shell:

phil@server:/var/log$ head -n 1 debug.1
cat: debug.1: Permission denied

If phil is added to the adm group, it can:

root@server:~# adduser phil adm
Adding user `phil' to group `adm' ...
Adding user phil to group adm
Done.
phil@server:/var/log$ head -n 1 debug.1
May 21 11:23:15 server kernel: [    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014

If, however, a process is started whilst explicitly setting the user:group to phil:phil it cannot read the file. Process started like this:

nice -n 19 chroot --userspec phil:phil / sh -c "process"

If the process is started as phil:adm, it can read the file:

nice -n 19 chroot --userspec phil:adm / sh -c "process"

So the question really is: What is special about running a process with a specific user/group combo that prevents the process being able to access files owned by supplementary groups of that user and is there any way around this?

Source Link
phil-lavin
phil-lavin
  • 251
  • 1
  • 2
  • 6