[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
VLOCKDIR changed to mode 755 in 2.0.4b1 (was: /var/cfengine temporarily
|
From: |
David J. Bianco |
|
Subject: |
VLOCKDIR changed to mode 755 in 2.0.4b1 (was: /var/cfengine temporarily set mode 755) |
|
Date: |
30 Aug 2002 09:21:37 -0400 |
I just wanted to point out that 2.0.4b1 has the same problem I noticed
before in 2.0.3. What are folks' opinions on this?
Thanks,
David
-----Forwarded Message-----
From: David J. Bianco <address@hidden>
To: address@hidden
Subject: /var/cfengine temporarily set mode 755
Date: 12 Aug 2002 14:25:27 -0400
I found a small bug in init.c. Line 87, in the function
CheckWorkDirectories(), contains the following code:
chmod(VLOCKDIR,(mode_t)0755); /* Locks must be immutable to others */
I found that whenever cfagent runs, my /var/cfengine directory is
set to mode 755. My update.conf file restricts this even further
(to 700), so the permissions come back to normal after a few
seconds, but I think that the code above is a bug in that it makes
an assumption about what I want my directory's permissions to be.
It also potentially allows a third party to browse my directory,
at least for a few seconds.
I think the intent was to remove write permission from group and
other, so I think the following code will solve the problem
more easily:
/* find the current permissions for VLOCKDIR, subtract group and other
* write bits, and set new mode to be the result. Do this because
* locks must be immutable to others.
*/
if (stat(VLOCKDIR,&statbuf) == 0) {
chmod(VLOCKDIR, (mode_t) (statbuf.st_mode & 0755));
} else {
chmod(VLOCKDIR,(mode_t)0755);
}
This code actually looks up the current mode for /var/cfengine
and then just subtracts the write bits for group and other.
I have tested this under RedHat Linux 7.3 (intel) but not on
other platforms, though I believe it's pretty portable.
David
--
David J. Bianco, GSEC <address@hidden>
Thomas Jefferson National Accelerator Facility
The views expressed herein are soley those of the author and
not those of SURA/Jefferson Lab or the US DOE.
--
David J. Bianco, GSEC <address@hidden>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint: 516A B80D AAB3 1617 A340 227A 723B BFBE B395 33BA
The views expressed herein are solely those of the author and
not those of SURA/Jefferson Lab or the US DOE.
- VLOCKDIR changed to mode 755 in 2.0.4b1 (was: /var/cfengine temporarily set mode 755),
David J. Bianco <=