Hi,
some users want to prevent having a world-readable $workdir (defaults
to /var/cfengine), but each time cfagent runs, the permissions of
VLOCKDIR/$workdir is changed to a fixed value of '755'.
In the Debian package for 2.2.3 I have added an old patch [1] which
only removes the write-bits for group and other. Could you please
consider applying it too? :)
- Werner
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215910
diff -ruN cfengine-2.2.3-old/src/init.c cfengine-2.2.3/src/init.c
--- cfengine-2.2.3-old/src/init.c 2007-02-17 13:06:52.000000000 +0100
+++ cfengine-2.2.3/src/init.c 2008-02-03 14:33:15.000000000 +0100
@@ -187,7 +187,7 @@
snprintf(VBUFF,CF_BUFSIZE,"%s/ppkeys/test",VLOCKDIR);
MakeDirectoriesFor(VBUFF,'n');
snprintf(VBUFF,CF_BUFSIZE,"%s/ppkeys",VLOCKDIR);
- chmod(VBUFF,(mode_t)0700); /* Locks must be immutable to others */
+ chmod(VBUFF,(mode_t)0700); /* Keys must be immutable to others */
}
else
{
@@ -204,11 +204,15 @@
snprintf(OUTPUT,CF_BUFSIZE,"Unable to set owner on %s to %d.%d",VLOCKDIR,getuid(),getgid());
CfLog(cferror,OUTPUT,"chown");
}
-
-chmod(VLOCKDIR,(mode_t)0755); /* Locks must be immutable to others */
+
+/* Locks must be immutable to others */
+ if (stat(VLOCKDIR,&statbuf) != -1)
+ {
+ /* change permissions go-w */
+ chmod(VLOCKDIR,(mode_t)(statbuf.st_mode & ~022));
+ }
}
-
/**********************************************************************/
void ActAsDaemon(int preserve)
_______________________________________________
Bug-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/bug-cfengine
