Security Basics: Re: Basic Security question about directory path

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-07-27 John Earl wrote:
> This seems like a very basic security question, and I _believe_ I
> already know the answer, but I am in a debate with a large software
> company about what is the correct security requirement for a path
> prefix, so I'm looking for second opinions...
>
> The question is this;  In a standard Unix (or POSIX really) setup,
> what authority does a user require to traverse a directory path in
> order to read a file from a subdirectory?
>
> For example, if user "FRED" wishes to read file "myfile" from location
> "/dir1/dir2/" (so that the full path name is (/dir1/dir2/myfile"),
> should user "FRED" need just "x" access to the root and "dir1" or
> should user FRED need "rx" access to the root and "dir1".  The goal is
> both to read the contents of "myfile", but also to give the user the
> lowest amount of authority necessary to complete the task.
As long as he has "r" access to "myfile", "x" access to all directories
(even dir2) will suffice. The user doesn't need to be able to read a
directory in order to traverse it.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq