Posts Tagged ‘chmod’

2011w35

Sunday, September 4th, 2011

I guess the first big thing to happen this week, which I’d be remiss if I didn’t mention it, is that I got a job :D

passtore

This Tuesday I also awoke with the idea that I really should, somehow make it easy for a user to sign the configuration file of passtore. And of course to check said signature as well.

What I want to achieve with that is to engineer out the flaw in security which would appear if an aggressor got hands on the system and added his/her own key id to the list of recipients in the configuration file.

I’ll have to think about that some more.

chattr +i

I don’t particularly like flash. Sadly a great big chunk of the Internet becomes useless without it, and although I should take a firmer stand against flash I have the flashplugin for Firefox installed. One of the really nasty things about flash is those persistent super-cookies which can be set, and quite frankly, Firefox has become a bit heavy lately, so I have been looking around for ways to cut back on add-ons.

I am currently trying out Privoxy as a standalone ad-blocker, and today I got the idea of trying to replace the “Better Privacy” add-on with some file-system hacking instead. In short “Better Privacy” works by trying to detect when a flash super-cookie has been set, and remove it.

This cookie is stored in a file, locally on the file-system. So I did a little thinking. In my home directory there are two hidden directories: .adobe and .macromedia, both containing a directory named Flash_player. Inside one of those (I guess it depends on the version of flashplayer which directory is the relevant one) flash stores these cookies.

So my first idea was simply to delete those two directories. Which of course is silly. The relevant one will just be recreated, at the latest upon the next Firefox restart. So that wouldn’t work.

I could of course instruct fsniper or incron to watch those two directories and have them pounce any newly created content within with an rm -rf command, and although that would work, I don’t particularly like scripted events which includes an rm command. Also I’d have to divert some system resources to that (yes, there are plenty of resources to go around, that’s beside the point) activity, and that wasn’t to my liking either.

Finally it dawned on me. If I removed the directories, they would just respawn, so I’d need to keep them there as placeholders, and make them non-writeable, and really immutable. That way, any time flash would try to get cute, it would hit a brick wall.

So what I ended up doing was:

  1. Purge any and all contents inside .adobe/ and .macromedia/
  2. chmod 0500 ./{.adobe,.macromedia}
  3. sudo chattr +i ./{.adobe,.macromedia}

So now the owner (me) can only read/list the contents of the directories (not modify them) and with chattr +i they are immutable, requiring root privileges to change those permissions.

Your move flash…

Links

Schneier on Security: The Efficacy of Post-9/11 Counterterrorism

MITnews: Killing a cancer cell from the inside out — although I’d worry about mutation, or weaponisation…

Easy permission sanitizing using chmod

Thursday, June 3rd, 2010

Let’s say you have a web app, such as WordPress, and you have installed it on your own server. You are of course security conscious, so you wish to have the permissions set up correctly, no exceptions. this usually means 755 (rwxr-xr-x) for directories and 644 (rw-r–r–) for files.

The way I used to solve this, on every server I worked, I set up a small shell script (sanitize-perms.sh) along the lines of:

#!/bin/sh
TARGET=$1
find $TARGET -type f | xargs chmod 0644
find $TARGET -type d | xargs chmod 0755

This worked well, with one huge caveat: What if you, somewhere in that directory structure had a file which needed to be executable?

I don’t know if such a case exists in WordPress, I’ve used that script on a couple of WP installations without any noticeable side-effects, but it’s obviously a flawed approach.

I’ll side-track this post a bit, since it is relevant to the overall post, that I, through identi.ca, stumbled upon this blog post (which is awesome by the way, go read it!) about why LaTeX is so cool, and why it can be useful writing your résumé using it.

Just by chance I continued into Dan’s code section, and long story short, I found some cool stuff in his .bashrc file. Most notably this little beauty:

# sanitize - set file/directory owner and permissions to normal values (644/755)
# Usage: sanitize <file>
sanitize() {
	chmod -R u=rwX,go=rX "$@"
	chown -R ${USER}.users "$@"
}

I personally, for some reason, have always tended more to the octal representation than the [ugo][+-=][rwx] syntax, but that single chmod line is so outstandingly brilliant that I am almost forced to switch.

In one fell swoop Dan’s command does what I need two commands (really, with the xargs and I suppose one new process per found file/directory to execute chmod, my script needs a lot of processes) to accomplish.

The magic happens in that capital X, which is defined in the chmod man-file as: “execute/search only  if  the file is a directory or already has execute permission for some user”.

Directories automatically receives the executable flag, and any file which already has it, maintains it. Bloody brilliant!

Many thanks to Dan for sharing his configuration files, one of these days I’ll have to follow his good example.