Tim wrote:
Tim:
Owner permissions are one thing. But setting something as world
readable ought to be treated just as you intended.
Paul Howarth wrote:
You could take this argument further: any file with "world readable"
permissions should automatically be readable via the local web server
(an entry in httpd.conf should be made to allow it). After all, it's
world readable. Does that make sense?
Yes, and that was precisely the point I was arguing. I'd made a file's
permissions so that it was available to everybody, so it should be...
So running "chmod a+r /path/to/filename" should automatically cause an
edit of httpd.conf so that /path/to/filename is available by http for
all to read? I thought I chose a particularly outrageous example but
apparently not.
Making a file's permissions world-readable *does* make it available to
everybody, i.e. all users equally. However, SELinux (at least for the
targeted policy) imposes restrictions on what *processes* (not *users*)
can do. This is how it should be IMHO.
How about another example. Suppose you're running samba. You can specify
in samba that individual shares are available only to certain users. So
if /path/to/filename is accessible via such a share, then even though it
may be world-readable on the samba server itself, only the specified
list of users can access it via samba. This is a layering of access
rights, with the samba restrictions sitting on top of the Unix
permissions. Only if both say "OK" is access granted. SELinux works in a
similar fashion, layering an additional set of restrictions on top of
the Unix permissions. The two are completely separate and should not
affect each other. Removing one set of restrictions should not result in
the removal of all other sets.
Paul.
