Hello, I want to hash this out here, before I report and waste  
anyone's time.  What is the procedure for reporting bugs?

1) Set permissions
sudo chown -R _assp:_assp ~/Desktop/ASSP

2) Confirm permissions
-rwxr-xr-x@  1 _assp  _assp    1753 Jun 26  2005 addservice.pl
-rwxrwxr-x@  1 _assp  _assp   13225 Nov  6 23:51 assp.cfg.defaults
-rw-r--r--@  1 _assp  _assp  850312 Dec 10 14:21 assp.pl
drwxr-xr-x@  5 _assp  _assp     170 Oct 10  2007 docs
drwxr-xr-x@  8 _assp  _assp     272 Nov 16 02:06 files
drwxr-xr-x@ 19 _assp  _assp     646 Oct 18 10:18 images
drwxr-xr-x@  2 _assp  _assp      68 May  4  2007 logs
-rw-rw----   1 _assp  _assp   16124 Nov  1 04:28 mod_inst.pl
-rwxr-xr-x@  1 _assp  _assp    1416 Jun 26  2005 move2num.pl
drwxrwxrwx@  7 _assp  _assp     238 Nov  1 04:31 notes
drwxr-xr-x@  6 _assp  _assp     204 Jul  2  2007 rc
-rw-r--r--@  1 _assp  _assp   40138 Dec 14 07:37 rebuildspamdb.pl
-rwxr-xr-x@  1 _assp  _assp     924 Mar  2  2007 repair.pl
drwxr-xr-x@ 11 _assp  _assp     374 Feb  6  2008 reports
-rwxr-xr-x@  1 _assp  _assp    2556 Oct 10  2007 stat.pl
-rwxr-xr-x@  1 _assp  _assp    5286 Dec 31  2004 stats.sh

3) Edit and make copy of assp.cfg with new user and group
grep '_assp' assp.cfg
runAsUser:=_assp
runAsGroup:=_assp

4) Run ASSP
sudo perl assp.pl

5) Check permissions for all being _assp
ls -la | grep root
-rw-rw-rw-   1 root    _assp   13048 Feb 27 20:58 assp.cfg
-rwxr-xr-x@  1 root    _assp   13235 Feb 27 20:56 assp.cfg.bak

I can not seem to keep the config file from being root owned.  This  
concerns me, especially since the permissions on most of the files are  
defaulting to +x.  Here is a sample test case that should show what I  
think is a danger, but I could be wrong.

I just saved "#!/bin/bash touch ~/assp-made-this-file; exit;" into any  
of the input fields in the web admin, it was saved into the cfg file.   
At some point, it was rolled into a .bak file, which had execute bits  
set.

All that it took was then to ./assp.cfg.bak
Results:
-rw-r--r--   1 me  staff         0 Feb 27 21:01 assp-made-this-file

I do not know too much about this, and have not played with it much to  
solve it.  Maybe I can just -x all but the assp.pl file, but I do not  
know the repercussions of that.  Can someone tell me what all the  
permissions should be?  With that, it would help, but I can not solve  
why assp is rooting the config files to begin with.

Thanks, if someone else can test these findings, and confirm, I would  
appreciate it.
--
Scott

* If you contact me off list replace talklists@ with scott@ *






------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to