1

If you have 10k rep on AskUbuntu, you can see this answer, which I deleted, because I'm apparently wrong.

Basically, a user's question was about how to change permissions of theme files in /usr/share/themes so they could be opened for writing.

I answered that sudo chmod a+rw /usr/share/themes would do the trick, and admittedly gksudo whateveryouwannado might be the better option, but I probably take a lot of risks with my system that others don't with theirs (and got yelled at by muru for it).

Specifics aside, due solely to the existence of themes in /usr/share/, I was convinced /usr/share was for stuff writable by all users, like themes, about which I stand corrected.

So, where should packages / I put stuff that should be writable and readable by all users? (Pretending for a moment that security is not an issue, which it isn't for me.)

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
cat
  • 3,468
  • 4
  • 23
  • 51
  • 1
    would you mind editing my answer again? it seems we were both changing it at same time, and your changes where automatically rejected. – Rui F Ribeiro Jan 09 '16 at 04:11
  • 2
    You really don't care if any other user wants to delete all your stuff? Why don't you just use a shared directory with the sticky bit set, so anyone can create files in there (that are viewable by others), but no one can delete or edit other people's files, only their own? – Wildcard Jan 09 '16 at 04:18
  • I would prefer to use a directory setuid to a group, in fact is what I do when I give vhosts access to users. I do welcome random users and or malware writing at will in directories. – Rui F Ribeiro Jan 09 '16 at 04:20
  • @Wildcard ohh, so that's what the sticky bit does -- I'd never bothered to learn til now -- yes, that sounds workable. – cat Jan 09 '16 at 04:22
  • I though you were more experienced. Then, a directory setuid to a group means the users of that group with be able to write at will there, and be able to manipulate the files created by the other members of that group. Some other user, including www-data, wont be able to write there. – Rui F Ribeiro Jan 09 '16 at 04:25

1 Answers1

6

The point is, you should not create directories with write permission for all users. At least restrict the write access to a group of users.

By convention, all local modifications of a system are in /usr/local/$dir. In your scenario I would advise /usr/local/share/themes.

Do not be so quick dismissing security concerns. Take for instance, the example of a web server. Fully write-capable directories will be often be abused to upload scripts that are run with the privileges of the web server user (often www-data). If you are storing the themes with access to all users, they will be changed and subverted to distribute malware without any need to escalate to root.

As I commented in the original question, I manage web servers with hundreds of virtual hosts, and what we do is create a group for each virtual host, then add users to that group.

Will leave here a link about applying setuid and setgid to directories.

https://www.gnu.org/software/coreutils/manual/html_node/Directory-Setuid-and-Setgid.html

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232