Scenario/question:
A unix directory tree has NTFv4 ACLs configured to allow an unprivileged account traversal on all dirs (but no other ACL granting further rights on any file/dir anywhere
In such a case, is it completely safe to universally grant directory traversal right to everyone (setfacl everyone@:x:d:allow /path_to_mountpoint
or similar), or can this be somehow exploited even despite there being no other ACLs set?
I'm figuring that in the absence of any other permission/ACL allowing other rights, this should result in an absence of any right to read, modify or control any object traversed to. Thus the traversal right is valid but in practice it's utterly useless / sterile.
In this context I categorise "exploit" strictly, and even the ability to list files in a dir (that didn't have other additional ACLs set on it) would count as "exploiting" since it's more than just traversal.
In that sense, can bare traversal ACLs be exploited, or is this a "safe" right (including in the sense of file privacy) to give untrusted/unprivileged/guest accounts even on paths one doesn't want them to make use of?
Explanation/use-case:
I'm mainly thinking of a file server's data store on FreeBSD ZFS, but I guess it's similar on most unixes.
The use case is: suppose I want a specific unprivileged user to access only a specific nested dir within my data directory. Rather than setting traversal for that user on all parent dirs to reach that path, it would be administratively easier if it's secure, to
- Grant universal traverse rights to everyone on the entire data dir, inherited to all dirs, but then
- Control actual use/access/scanning by setting read/write/modify ACLs on files+dirs they are allowed to use, while setting no rights, or explicit deny rights, on every other ACL flag on all other dirs/files (other than just "x" on dirs).
If traversal can't be exploited, then the traversal right is sterile and useless unless combined with a target path/file that the user actually has some other ACLs for. But is that correct, or is it subtly loophole-y?