CWE-61 is about soft links. The basic idea is that attackers point a normal file to other system files or unexpected files through soft links to achieve arbitrary write purposes.
But I have a question, if user A tries to point fileA to fileB through a soft link and exploits this vulnerability to modify fileB; Isn't A required to have the read and write permissions on fileB? (or user A can run the program as root)
If user A already has this permission, why does user A need to use CWE-61 to modify fileB?
Related
What is a good way to prevent people from submitting changes to a file? I was thinking of two methods
p4 trigger with a python snippet that holds a dictionary with protected paths and warn the user that changes are not accepted any more for that file.
use a bot account to check-out the file and never check-in (sounds like a bad idea)
I was searching for "permanently lock file" however that is just to keep exclusive locks when a file is only to be authored by one user at a time.
Remove write access in the protection table. I.e. run p4 protect and then set up permissions for the path like:
write user * * -//depot/whatever/path/...
If you want users to be able to sync and/or open the file but not submit it, add another line afterward that grants read or open permission specifically. For example, to allow users to sync that path but not edit or submit you'd do:
write user * * -//depot/whatever/path/...
read user * * //depot/whatever/path/...
Say I have normal 15 user groups and 1 admin group. I have a file directory /ReadingMaterial which has 15 text files inside of it. I want the admin group to have read/write permissions to the entire directory (all 15 files). I want the user groups to only be able to read 1 specific file inside the directory. For example, UserGroup1 will only have read access to the file called UserGroup1Material.txt
I can't find the command required tho anywhere with searching, found dozens of pages which go over simply creating or editing groups and files as a whole (owners, groups, users), but none for individual groups on their own.
I'm pretty sure it can be done, but for the life of me cannot find it anywhere with google searches or in the manual
You can change the group ownership of the file with chgrp and change its permission so that only the users of UserGroup1, and its creator, are allowed to have read access to your file :
chgrp UserGroup1 UserGroup1Material.txt
chmod 440 UserGroup1Material.txt
In Samba share directory and file will be create by username and group name that's why I have to use sticky permission:
Chmod 1770 /testfolder
In this permission user can create file and folder.
Anyone can help me how can i restricted to delete file and folder.
how can I restrict users to delete file and folder.
Or, in other words, is there a permission such that a user can add files to a directory, but not delete them?
NO. The write permission given to a directory lets the user modify that directory, which means create new entries, but also means delete entries. Both operations, in fact, modify the directory, i.e. the list of files contained there. It would be very handy to discriminate between adding a file and deleting it - but things are not so.
But, depending on OS and file system, may be you can set a special attribute on a directory:
chattr -d +a nodelete/
will give the special attribute "append only" to the specified directory. "Append only" means you can create but not delete or overwrite. That will achieve, presumably, exactly what you want; see documentation for chattr, it could be your friend.
I am looking for the some document/presentation which will give me an idea about different File and Directory attributes available on Windows, Mac and Linux file system. Also wanted to know Common attributes present across all three Operating systems. I want to cross verify my work.
Thanks,
Omky
First, you want to check the File system rather the OS, is mostly a File system feature, not OS, the Operative System can "support" or not all FS features.
On Linux and OSX, there is a UNIX standard, you have the common owner/group/other where a File contains a user owner (just a user) and a group owner (a group contains a list of users).
With that knowledge, you can set permissions like read/write/executable permissions for the owner of file, the group of file and a "non user non member of the group".
Example:
I have a file called hello.out and I want to restrict a "modification" for EVERY user, but my user only can execute it and every user can read it. I will set permission 544. the first value, 5 will provide read and execute to owner, the second value, 4 will provide only read to group, and the third value, another 4, will provide only read to any other user.
You have extended permissions on some UNIX file systems, on EXT2/3/4 and others, you can set permissions for a specific user (File system extended attributes). Also, you have some "flags" with special features, like provide a root execution with the SUID flag or force exclusivity of files on a directory to owner with the sticky flag.
More info about UNIX permissions here: http://en.wikipedia.org/wiki/File_system_permissions
On Windows instead, is hard to say, first, you have FAT16/32, there is no permissions with this File system. Using FAT16/32 on Linux can "emulate" a UNIX permission, but is global for all files and will not be stored on File system.
For File systems like NTFS, is pretty similar to UNIX, but you have a longer list of control for actions on the file or folder, but basically you have read/write/read and execute/list files/modify/full permission.
For more info, you can find every basic and special attributes here: http://technet.microsoft.com/en-us/library/bb727008.aspx
I want to add some files to C:\windows\XXX (windows protected folder, in Vista), under the "TrustedInstaller" for my application. I do not want to replace any file so no issues on Windows Resource(formerly file) protection.
I have the code to change "ownership" to the current logged in admin, however, I'm don't have any clue how to set its file permissions programmatically. I'm using VC++/MFC for development.
Thanks
I not 100% sure what you actually want (as do you want it to look like TrustedInstaller installed the files?) but look at this example of using SetNamedSecurityInfo. You generally need to constuct a Discretionary Access Control List (DACL) for your file, however you can "borrow" one off another file with the permissions you want to clone using GetNamedSecurityInfo as building a DACL from scratch is considerably more annoying.
An easy way to do it is to just use the system function to run icacls with whichever parameters you need. Note that it's found in cstdlib (#include <cstdlib>)
system("icacls <params>");