#367 Is it a must to allow 7z to read the document directory for making a zip?

[L Y Lam]

Dear Igor,

Do you support 7z run in Solaris 11?

I run a web service with account "nobody" that downloads zipped documents which are not owned by "nobody".
At the very beginning, I used 7z to zip the document that stored in directory that grants execute and write (because "nobody" do document upload as well) privileges to "nobody" while read privilege of the individual document has granted to "nobody".
Surprisingly, the zip action was failed with "Permission denied".
Finally, the 7z zip action can be done only after directory read privilege has also been granted to "nobody".

Since exposing directory information to "nobody" is not recommended by security unit, I have to give up using 7z for the purpose.

May I know whether there is any getaround?

Thanks and regards.

[L Y Lam]

The following shows the setup for demonstrating my encountered 7z difficulties.
The 7z command fails because the document directory does not allow "nobody" to read.

---------------------------------------------------------

login project account "projx" & execute the following commands

mkdir /tmp/projx_dir
date > /tmp/projx_dir/doc_a.txt
date > /tmp/projx_dir/doc_b.txt
ls -l /tmp/projx_dir
#-----
projx$ ls -l /tmp/projx_dir
total 32
-rw-r--r-- 1 projx projx 29 Jul 21 10:51 doc_a.txt
-rw-r--r-- 1 projx projx 29 Jul 21 10:52 doc_b.txt

chmod o-r /tmp/projx_dir
ls -ldV /tmp/projx_dir
#-----
projx$ ls -ldV /tmp/projx_dir
drwxr-xr-x 2 projx projx 249 Jul 21 10:51 /tmp/projx_dir
0:user::rwx
1:group::r-x #effective:r-x
2😷rwx
3:other:--x

---------------------------------------------------------

login as "nobody"

root:/tmp/projx_dir# su - nobody
nobody:~$ id
uid=60001(nobody) gid=60001(nobody)

save projx documents with 7z

cd /tmp
sh -c '7z a -tzip /tmp/nobody_save_projx.zip /tmp/projx_dir/doc_a.txt /tmp/projx_dir/doc_b.txt'
#-----
nobody:~tmp$ sh -c '7z a -tzip nobody_save_projx.zip /tmp/projx_dir/doc_a.txt /tmp/projx_dir/doc_b.txt'

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=C,Utf16=off,HugeFiles=on,64 bits,8 CPUs BE)

Scanning the drive:

WARNING: Permission denied
/tmp/projx_dir/doc_a.txt


WARNING: Permission denied
/tmp/projx_dir/doc_b.txt

0 files, 0 bytes

Creating archive: nobody_save_projx.zip

Items to compress: 0


Files read from disk: 0
Archive size: 22 bytes (1 KiB)

Scan WARNINGS for files and folders:

/tmp/projx_dir/doc_a.txt : Permission denied
/tmp/projx_dir/doc_b.txt : Permission denied
----------------
Scan WARNINGS: 2

ls -l /tmp/nobody_save_projx.zip
#-----
nobody:~tmp$ ls -l nobody_save_projx.zip
-rw-r--r-- 1 nobody nobody 22 Jul 21 11:12 nobody_save_projx.zip

7z l /tmp/nobody_save_projx.zip
#-----
nobody:~tmp$ 7z l nobody_save_projx.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=C,Utf16=off,HugeFiles=on,64 bits,8 CPUs BE)

Scanning the drive for archives:
1 file, 22 bytes (1 KiB)

Listing archive: nobody_save_projx.zip

--
Path = nobody_save_projx.zip
Type = zip
Physical Size = 22

     Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
------------------- ----- ------------ ------------  ------------------------
                                                                         0            0  0 files