[nSLUG] 711 permissions for /?

George N. White III gnwiii at gmail.com
Mon Mar 2 08:35:29 AST 2009

On Sun, Mar 1, 2009 at 5:35 PM, Daniel Morrison <draker at gmail.com> wrote:
> Hi,
> 711 permissions on "/" sounds like an attempt at "security through
> obscurity"... but in any case, what is the problem, exactly?
> Why wouldn't
> 2009/3/1 George N. White III <gnwiii at gmail.com>:
>> { cd / && rm -rf "$tmpdir"; }
> work as expected?

It does on some systems, but the one where the problem was

mkdir /tmp/test
cd /
rm -rf /tmp/test

fails with the message

rm: cannot get current directory: Permission denied

>> $tmpdir is a scratch directory created by the script.  The reasoning
>> is that you need to ensure
>> that the current directory is not under tmpdir
> Why?
> ~$ mkdir -p /tmp/mytext/test
> ~$ cd /tmp/mytext/test
> /tmp/mytext/test$ rm -rf /tmp/mytext

The  { cd / && rm -rf "$tmpdir"; } is from a script -- subsequent commands
may fail if they can't get the current directory.

> /tmp/mytext/test$ ls -la
> total 0
> /tmp/mytext/test$ cd
> ~$ cd -
> -bash: cd: /tmp/mytext/test: No such file or directory
> (if anyone wonders what 'mytext' is: since we're talking about a TeX
> install, I tried to write 'mytex', and my fingers autocompleted :)
>> 1) Has anybody seen a discussion of using 711 permissions for "/"?
> No... I looked in the Linux Filesystem Hierarchy Standard, but it
> doesn't seem to specify permissions for "/" (but maybe I didn't look
> hard enough).
>> 2) What other recipes are recommended?  "cd $HOME" can't be used because some
>> "admin" accounts may not have a $HOME.
> How about "cd /tmp/" ?

Some systems restrict access to /tmp; user processes must respect TMPDIR.   You
don't want some rogue process filling the partition that holds ./tmp,
so TMPDIR is set
to a different partition.

I found:

This approach would give:

For bash with GNU tools:

{cd "$tmpdir" && rm -rf "$(pwd -P)" && cd .. ;}

Non bash and without GNU tools:

{cd "$tmpdir" && TMP=`pwd -P` && cd "`dirname $TMP`" && rm -rf
"./`basename $TMP`" && unset TMP ;}

The second is a cleaned up version of Hatem Nassrat's approach.  I
can't test this prperly with my GNU/linux.   Is there a non-GNU/linux?

In any case, without some good reason for those permissions on "/", it
doesn't make sense to mess
with the current idiom that was worked well for years on all sorts of
legacy machines.

George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia

More information about the nSLUG mailing list