help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch for permissions /var/lib/cfengine2


From: Daniel Parthey
Subject: Re: Patch for permissions /var/lib/cfengine2
Date: Mon, 13 Oct 2003 13:34:52 +0000 (UTC)
User-agent: slrn/0.9.7.4 (Linux)

Mark.Burgess@iu.hio.no wrote:

> Why set directory permissions

The directory permissions *are already being set* in your current version
of cfengine. My patch only changes the _way_ it is done:

Instead of setting permissions to 0755:
chmod(VLOCKDIR,(mode_t)0755); /* Locks must be immutable to others */
(700 becomes 755, at least until cfengine reaches the files: section)

only the write bits for group and others are removed:
chmod(VLOCKDIR,(mode_t)(statbuf.st_mode & ~022)); /* permissions go-w */
(700 stays 700)

which suffices to ensure the security of the cfengine lockfiles in the
workdirectory but doesn't affect the predefined permissions set by the
administrator too much.

If somebody likes to grant read-access for some group or even all users,
then he or she can do this with chmod in his favourite shell or by using
the "files:" section of cfengine.

> instead of setting the file permission?
If I set the file permissions of the files and directories inside the
directory, I have to mind all of them, as well the old as the new ones
which will perhaps exist in the future. Removing the flags from the
directory is fast and effective, because nothing inside can be accessed.

By the way...
In our university, users also don't have read-access to /var/run/cfengine.

> I'm not sure this patch is generally desirable...
In my opinion, a program which runs as root (like cfengine) should not
reduce security, by always adding read and execute permissions for "group"
and "others" even if the read/execute bits had not been set before the run.

Daniel.
-- 
 __________________________________________________________________________
( Please use PGP : Key 0xE0F4216B is available at http://mykey.webhop.org (
 ) Fingerprint   : DC13 BB6B 8B2B FA52 DCC1 6650 339D 9528 E0F4 216B       )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


reply via email to

[Prev in Thread] Current Thread [Next in Thread]