0

We have a shared Linux environment where most files are mounted to many machines on a NFSv3 share, which we do not control. Since we only have basic filesystem permissions available (No ACLs), we are looking for a way to allow people to run mkdir in a shared disk without giving the entire group write permissions over the root of the share.

For example, a binary with the setuid bit set, and the owner of the binary set to the owner of the share, could read a configuration file which would define which users or groups are allowed to create a directory in said shared directory. Then it could decide if the user that runs the binary is allowed to create a directory in the share.

The permissions on the top level share would be:

drwxr-x--- 1 owner group …

So the idea is that there is a wrapper for mkdir that then runs as the share owner, checks a configuration file, and creates the requested directory if the configuration file allows it. That way, the users can’t just run the built in mkdir.

The directory created would look something like this:

drwx------ 1 normaluser group 4096 Nov 3 18:14 newdir

Is this the best approach? Or are we reinventing the wheel?

Improve this question
3
  • 1
    setuid would be very dangerous in a distributed setup. Commented Nov 3, 2021 at 22:09
  • @JeremyBoden What specifically would we be looking out for? I understand it’s a risk, but what kind of vulnerabilities would we be exposing ourselves to? Commented Nov 3, 2021 at 22:20
  • If 'owner' creates a directory, then it needs to change the owner of the new directory to 'normaluser' and it all gets rather messy. In addition, if the setuid program could be hijacked, it would be possible to run arbitrary code with 'owner' authority... Commented Nov 3, 2021 at 22:43

1 Answer 1

Reset to default
0

Set the umask as each user logs in:

umask 002

Thereafter, the group will have the same permissions as the user:

mkdir newdir
ls -ld newdir
drwxrwxr-x+ 1 roaima roaima 0 Nov  3 22:04 newdir

If that isn't what you want, then create an alias for mkdir

alias md='mkdir -m 775'
md newdir
Improve this answer
1
  • The permissions on the top level share would be: drwxr-x--- 1 owner group … So the idea is that there is a wrapper for mkdir that then runs as the share owner, checks a configuration file, and creates the requested directory if the configuration file allows it. The directory created would look something like this: drwx------ 1 normaluser group 4096 Nov 3 18:14 newdir Commented Nov 3, 2021 at 22:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.