Ubuntu
util-linux package

Web file download has group permission Read & Write

Asked by peterzay

For security reasons, I would expect the default group permission for any file to be read-only.

Is this a bug in Ubuntu 12.04 LTS Precise Pangolin?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu util-linux Edit question
Assignee:
No assignee Edit question
Solved by:
N1ck 7h0m4d4k15
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

So you download a file and it isn't readable, is that correct?

Revision history for this message
peterzay (peterzay) said : 		#2

No, everything is ok with the file. The file owner can read the file. His permission is Read and Write. That is fine.

The group permission is also Read and Write which appears to be a security weakness. I would expect the group permission to be Read Only by default.

Please comment. Thanks.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

Can you give the output of:

ls -la

for one of the files to give an example.

Thanks

Revision history for this message
N1ck 7h0m4d4k15 (nicktux) said : 		#4

Hello ,

and what groups you have ? Who can manipulate groups and users inside them ? Who belongs to groups with write permissions ?

You and Root. Some applications maybe , cuz needed to have write access on files.

The Others (group) what permissions have ? The Others are dangerous. If they have write access too , then something is going wrong.

Thanks

Revision history for this message
peterzay (peterzay) said : 		#5

xxx@yyy:~/Downloads$ ls -la pa_e_Q212_SHrpt.pdf
-rw-rw-r-- 1 xxx xxx 325577 Sep 7 18:06 pa_e_Q212_SHrpt.pdf
xxx@yyy:~/Downloads$

Revision history for this message
peterzay (peterzay) said : 		#6

If any other user, from my group, from another group, from anywhere, can write to my file by default then I consider that a security weakness.

That is just like Windows, a free for all.

You consider that as ok???

Revision history for this message
peterzay (peterzay) said : 		#7

Please comment. Thanks.

Revision history for this message
Best N1ck 7h0m4d4k15 (nicktux) said : 		#8

Hi ,

is not the same as Windows. No.

A user cannot add himself/herself in a group. Only You (as admin) can add
users in groups and give them extra privileges.

System automatically add a new user (created BY You) to some groups and
give him/her some privileges for basic functionality of the account.

OK. Lets take an example. You can test it right away.

Create a new user (standard user). Logout and login from new user. Can you
change anything in Your files ?(old user) You can read them , but not
change (write) anything. Not write permission.

See here a good answer in question : "How to manage users and groups"
http://askubuntu.com/questions/66718/how-to-manage-users-and-groups

Thanks

Revision history for this message
peterzay (peterzay) said : 		#9

Thanks NikTh, that solved my question.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#10

The file is readable by all. You may be able to tweak it so that new files are not readable by all.