slocate for OpenSolaris [LSARC/2008/447 FastTrack timeout 07/22/2008]
Irene Huang
Irene.Huang at sun.com
Mon Aug 4 23:24:06 PDT 2008
Hi, Jim
Please make a decision on how to handle the property ASAP, and then I
think we can put an end to this case:)
Thanks
--Irene
On Mon, 2008-08-04 at 10:35 +0100, Darren J Moffat wrote:
> Jim Li wrote:
> > Darren J Moffat 写é“:
> >> Jim Li wrote:
> >>> Darren J Moffat wrote:
> >>>>>> So what is the ownership and permissions of
> >>>>>> /var/lib/slocate/slocate.db
> >>>>>>
> >>>>> The ownership is root, group is other and permissions is 744
> >>>>
> >>>> The above check is completely useless given that that database is
> >>>> publically readable. Also it should't be rwx for owner it doesn't
> >>>> get executed it should be rw-.
> >>>>
> >>>> This is why slocate is normally installed SUID or SGID so that the
> >>>> database can be installed like one of the following:
> >>>> root root 600
> >>>> root slocate 640
> >>> Understood. Which way is better, SUID(root root 600) or root slocate
> >>> 640?
> >>
> >> root:slocate 640
> >>
> > Do you think root:root 600 is aslo acceptable?
>
> No because that means slocate is then setuid to root, or it needs to run
> at least with file_dac_read which is IMO far too powerful given that
> isn't how it is usually deployed.
>
> > Because there are no preinstall or postinstall scripts in IPS, so there
> > is no way to create a group when adding a package and delete this group
> > when removing the package.
>
> I thought IPS did have a way to create users and groups.
>
> Either way this case talks about SVR4 packages not IPS and this case has
> to integrate via an SVR4 process not directly to IPS.
>
More information about the opensolaris-arc
mailing list