Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I'm still a relative newbie to Linux, so please bear with me if this "security problem" I found is really just an error on my part. I'm running Red ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2004
    Posts
    7

    Entered a locked ("000") folder w/out being root


    Hi,

    I'm still a relative newbie to Linux, so please bear with me if this "security problem" I found is really just an error on my part.

    I'm running Red Hat 9 (kernel 2.4.20-31.9) and KDE 3.1-13 and generally use Konqueror (3.1-15) as my file manager. Well, being the paranoid type, I tend to keep a lot of my private info (bank records, etc.) stored in a directory that's totally locked when I'm not using it. That is, each time I want to access files in this directory I open up a terminal, su to root by typing in my password, then do "chmod 700 -R <directoryname>". When I'm done, I go back to the terminal and lock that directory back up again with "chmod 000 -R <directoryname>".

    Now comes the funky part. When using Konqueror as my file manager, I'm able to do the following to unlock the "locked" directory even without having root privileges:

    Open a Konqueror window and enter to the directory containing the "locked" directory;
    Type <Ctrl-E> ("execute shell command");
    In the "shell command" dialog box, type "chmod 700 -R <directoryname>";
    That's it! The folder is then accessible to me as a regular user.

    At first I thought I might have accidentally retained root permission from something else I'd done earlier in the session. But that doesn't seem to be the case, since I was unable to re-lock the folder using the same sequence of steps that unlocked it (apart from replacing "chmod 700" with "chmod 000", of course).

    Can someone please tell me if there's something I'm missing here, or could this actually be a bug in Konqueror or some other part of my software? Thanks.

  2. #2
    Just Joined!
    Join Date
    Apr 2004
    Posts
    7
    A correction to the above: It turns out that I can re-lock the directory by doing <Ctrl-E>, "chmod 000 -R <directoryname>". The difference is that when I do so, a message box pops up that says "Permission Denied," even though hitting "Refresh" (the <F5> key) shows that the directory has, in fact, been locked again.

    In a nutshell, it appears that one can bypass the need to login as root to get into locked folders simply by using Konqueror and its "Execute Shell Command" feature.

  3. #3
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    chown the file root:root to ensure that you need to be root to unlock it.

    eg:

    Code:
    chown root&#58;root dir/ -R
    chown root&#58;root dir/
    Jason

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Apr 2004
    Posts
    7
    Ahh, okay. That took care of it. I didn't realize that owners could access their own files even when root turned off user permissions.

    Thanks for the help, Jason.

  6. #5
    Just Joined!
    Join Date
    May 2004
    Posts
    13
    If you must keep your banking details on your PC it would be better to use file encryption. Just relying on file permissions is a bad idea.
    If someone steals or has physical access you PC it is a very trivial task to get root. Encrypting a file with openssl (make sure you use a password, long string with numbers, capitals, special charaters, not based upon a word) would be better. If your PC is connected to the Internet permantely it is only a matter of time before someone breaks in. You may also not know if someone has broken in.
    I personally store my bank details in my head. If you must store them electronically best to store on removable media which has an encrypted file system (passworded) and physically secure it away from the PC.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •