Setting file execute permissions--a somewhat arcane question.
As I've been learning Unix, I'm often impressed by the logic and efficiency of certain features, so when I find things that don't fit this pattern, it really makes me wonder.
This particular example isn't so much about the design of permissions as it is about the way administrators--even competent ones--use them.
A case in point:
-rwxr-xr-x 1 root wheel 5099 Dec 7 2006 /usr/sbin/apachectl
This means that the file belongs to root, and root can do anything (s)he wants to it--read, write and execute.
Furthermore, anyone who belongs to the group, wheel (which, correct me if I'm wrong here, is pretty generally confined to root) can read and execute it. They can't write to it because, presumably, you don't want just any old wheel coming along and changing this file, although they may read it, which might be a good thing to do before they execute it.
Finally, other, that is, any old user, can execute the file, but they can't write to it, and they can't even read it. (Incidentally, why would you want to prevent someone from reading a file that you're allowing them to execute? Element of surprise? But that's not my real question.)
My real question involves the following: try logging on as anyone other than root and running that file. If Apache is running, try to stop it. It will tell you it isn't running. That's a lie. Okay, maybe an honest mistake, but it isn't true. Now try to start it. It doesn't have to be stopped; you'll get the same error either way: "fopen: Permission denied," it says, "httpd: could not open error log file /private/var/log/httpd/error_log."
I seem to run into this a lot. A file that I have permission to execute produces an error message when I try to run it because it tries to do something that I don't have permission to do. So why do I have permission to execute the file in the first place?
Okay, maybe there are some useful things I can do with apachectl, like configtest, that don't require me to be root. Like if I'm editing the httpd.conf file, I can check it with configtest, and then when it's ready I can go get an administrator to restart apache, or something like that. Except for the fact that I can't edit httpd.conf because I only have read access to that file. But maybe there are some imaginable scenarios where it might make sense.
But there are other files that you simply can't do a darned thing with, yet which still allow you to execute them and be chastised for your lowly permission status. Not only that, but it's a relatively simple matter to construct a script in such a way that it will check to see who is executing it, while it's processing directives, and return an appropriate error message, e.g. "Sorry, 'stop' and 'start' can only be performed by root," instead of allowing some downstream process to do its dirty work. Incidentally, allowing errors to be returned from downstream processes gives unprivileged users some insight into what the script does, which, presumably, is part of what they're trying to prevent by not allowing them to read the script!
If anyone can shed any light on why things are so often done this way, I'd appreciate it. If not, I guess this is just my Unix rant for the the week.
This particular example isn't so much about the design of permissions as it is about the way administrators--even competent ones--use them.
A case in point:
-rwxr-xr-x 1 root wheel 5099 Dec 7 2006 /usr/sbin/apachectl
This means that the file belongs to root, and root can do anything (s)he wants to it--read, write and execute.
Furthermore, anyone who belongs to the group, wheel (which, correct me if I'm wrong here, is pretty generally confined to root) can read and execute it. They can't write to it because, presumably, you don't want just any old wheel coming along and changing this file, although they may read it, which might be a good thing to do before they execute it.
Finally, other, that is, any old user, can execute the file, but they can't write to it, and they can't even read it. (Incidentally, why would you want to prevent someone from reading a file that you're allowing them to execute? Element of surprise? But that's not my real question.)
My real question involves the following: try logging on as anyone other than root and running that file. If Apache is running, try to stop it. It will tell you it isn't running. That's a lie. Okay, maybe an honest mistake, but it isn't true. Now try to start it. It doesn't have to be stopped; you'll get the same error either way: "fopen: Permission denied," it says, "httpd: could not open error log file /private/var/log/httpd/error_log."
I seem to run into this a lot. A file that I have permission to execute produces an error message when I try to run it because it tries to do something that I don't have permission to do. So why do I have permission to execute the file in the first place?
Okay, maybe there are some useful things I can do with apachectl, like configtest, that don't require me to be root. Like if I'm editing the httpd.conf file, I can check it with configtest, and then when it's ready I can go get an administrator to restart apache, or something like that. Except for the fact that I can't edit httpd.conf because I only have read access to that file. But maybe there are some imaginable scenarios where it might make sense.
But there are other files that you simply can't do a darned thing with, yet which still allow you to execute them and be chastised for your lowly permission status. Not only that, but it's a relatively simple matter to construct a script in such a way that it will check to see who is executing it, while it's processing directives, and return an appropriate error message, e.g. "Sorry, 'stop' and 'start' can only be performed by root," instead of allowing some downstream process to do its dirty work. Incidentally, allowing errors to be returned from downstream processes gives unprivileged users some insight into what the script does, which, presumably, is part of what they're trying to prevent by not allowing them to read the script!
If anyone can shed any light on why things are so often done this way, I'd appreciate it. If not, I guess this is just my Unix rant for the the week.
Disclaimer: I don't hate Unix. I really like it a lot, in spite of its quirks. No one is perfect; not even me! And don't even get me started on "Windows."
MacBook Pro 17, Mac OS X (10.4.10), 4 GB RAM, 160 GB HD
