slocate for OpenSolaris [LSARC/2008/447 FastTrack timeout 07/22/2008]
Darren J Moffat
Darren.Moffat at sun.com
Mon Aug 4 02:35:10 PDT 2008
Jim Li wrote:
> Darren J Moffat 写道:
>> Jim Li wrote:
>>> Darren J Moffat wrote:
>>>>>> So what is the ownership and permissions of
>>>>>> /var/lib/slocate/slocate.db
>>>>>>
>>>>> The ownership is root, group is other and permissions is 744
>>>>
>>>> The above check is completely useless given that that database is
>>>> publically readable. Also it should't be rwx for owner it doesn't
>>>> get executed it should be rw-.
>>>>
>>>> This is why slocate is normally installed SUID or SGID so that the
>>>> database can be installed like one of the following:
>>>> root root 600
>>>> root slocate 640
>>> Understood. Which way is better, SUID(root root 600) or root slocate
>>> 640?
>>
>> root:slocate 640
>>
> Do you think root:root 600 is aslo acceptable?
No because that means slocate is then setuid to root, or it needs to run
at least with file_dac_read which is IMO far too powerful given that
isn't how it is usually deployed.
> Because there are no preinstall or postinstall scripts in IPS, so there
> is no way to create a group when adding a package and delete this group
> when removing the package.
I thought IPS did have a way to create users and groups.
Either way this case talks about SVR4 packages not IPS and this case has
to integrate via an SVR4 process not directly to IPS.
--
Darren J Moffat
More information about the opensolaris-arc
mailing list