Mount notifications: fanotify and permissions

Posted Jul 3, 2024 23:52 UTC (Wed) by josh (subscriber, #17465)
In reply to: Mount notifications: fanotify and permissions by geofft
Parent article: Mount notifications

https://www.man7.org/linux/man-pages/man2/open_by_handle_...

File handles are something a filesystem guarantees as unique, but you can't do anything with them unless you have CAP_DAC_READ_SEARCH, the permission root and typically no other user has that means "ignore file permissions".

Mount notifications: fanotify and permissions

Posted Jul 6, 2024 2:24 UTC (Sat) by aaronmdjones (subscriber, #119973) [Link] (1 responses)

CAP_DAC_READ_SEARCH doesn't mean "ignore file permissions"; that's what CAP_DAC_OVERRIDE is. CAP_DAC_READ_SEARCH is useful for backups for example, where you want to be able to read every file and traverse every directory (hence the name) but nothing else, like changing owner (CAP_CHOWN), changing permissions (CAP_FOWNER), etc. It does not grant you any modification privileges you did not already have.

Mount notifications: fanotify and permissions

Posted Jul 6, 2024 9:08 UTC (Sat) by josh (subscriber, #17465) [Link]

Fair enough; you're right that it only ignores read and search permissions, thank you for the correction. It's still not a permission you want to give to a random application, though. So file handles are still not useful for ordinary applications.