On Thu, Feb 15, 2001 at 06:55:51AM +0000, Dr A V Le Blanc wrote:
> coda itself anywhere under /usr. The real pain is tweaking any
> Linux distribution to deal with shared /usr on a particular
> client. This is one reason why I feel the distributions and
> both rpm and dpkg fail to support this kind of installation
> adequately.
One problem that is very hard to resolve are the non-shared
configuration files in /etc. When some of the binaries in /usr are
updated, this might require an update to the configuration on all
clients. So there should be some way of installing multiple versions
of a binary/package and leaving it up to the clients to upgrade.
So the problem turns into having an `unpacked' package in some place in
/coda, with pre/post install/remove scripts which create links from the
local /usr tree to the various binaries. Which is exactly what "depot"
is doing (and in some ways "stow", a simpler version of "depot").
> in AFS. With Coda you can put the suid programs there, but not
> sgid, of course. (Thus in the previous example, where /usr is
> a link into /coda, /usr/bin/man may have to be a link out of /coda,
> if it is a sgid program.)
Ehh, not anymore. We didn't like the security "feature" of some user who
has `root' on one client being able to install suid-root binaries. Which
can then be executed on any other Coda-client. Suid-bits should be a per
machine policy, so Coda now correctly filters them out. And no, there is
no option to disable this filtering of suid bits.
If anybody wants suid-binaries in /coda, here is what I've been using:
- Get the program "super" and install it on the local disk on every
client (f.i. /bin).
- For each suid binary in Coda,
mv binary binary.su && ln -s /bin/super binary
- For each sgid binary in Coda,
mv binary binary.sg && ln -s /bin/super binary
- Create a super.tab file similar to the following:
#!/bin/super -o
:global_options logfile=/var/log/super.log renewtime=y
{binary,binary2,binary3} /coda/usr/sbin/*.su user~* uid=0
mail /usr/bin/mail.sg user~* uid=<caller> gid=mail \
env=PAGER,LISTER,EDITOR,VISUAL,MAIL,MBOX,DEAD
- Install the super.tab in /etc on every client, now any client can
modify his local suid policies without compromising everything else.
Super nicely strips out environment variables, which breaks some
programs like setuid cgi-scripts, so I'm using the following recipe for
those:
jitterbug /coda/cgi-bin/*.su \
env=CONTENT_LENGTH,REQUEST_METHOD,QUERY_STRING,PATH_INFO,SCRIPT_NAME,AUTH_TYPE,REMOTE_USER,REMOTE_HOST,REMOTE_ADDR
\
nobody
Jan
