Hi -
On Thu, May 09, 2013 at 12:22:53PM +1000, Ken McDonell wrote:
> [...]
> Given that /var/tmp and /tmp and at least half a dozen other directories
> I can find on my system are likely to exist and be mode 1777, the evil
> ones already have ample opportunity even if PCP is not installed. I am
> not strongly persuaded by this argument I'm afraid.
Normally, mildly sensitive stuff is put under /tmp/SUBDIRECTORY, whose own
permissions are not 1777.
> Also we already have /var/tmp/pmlogger and /var/tmp/mmv that are mode
> 1777 and there is no Plan B that is possible for these (the pmlogger one
> is not negotiable as any uid can launch pmlogger, e.g. "Record" mode for
> gui tools, the mmv one I'm less sure on).
(Could these programs not log to some $HOME/.pcp directory? Why
should they be system-wide?)
> [...]
> Some DB APIs have (at least in the past) relied on some db-group
> permissions, so we may not have the freedom to mandate running as gid pcp.
(Please keep in mind *supplementary* group memberships, not gid pcp.)
> [...]
> >Also, rc.d/init.d files should not chmod files or directories at run
> >time. Permissions should be set by the installation scripts, and
> >maintained thence; else routine package-verification will fail and set
> >off alarms.
>
> This is a different can of worms!
>
> 1. some packaging systems enforce permissions and uid/gid rules that are
> not consistent with our needs ... so we need to gather all these up and
> replicate the patch up logic in _all_ the package post-install scripts.
Can you give an example?
> 2. some packaging systems don't honour changes in permissions and
> uid/gid from the package when these are different to permissions and
> uid/gid settings of an already installed file or directory.
Can you give an example?
> 3. some of our directories are created on the fly and not included in
> the packages ... this is almost certainly wrong.
Right, among other things it complicates clean uninstallation.
- FChE
|