https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6994
--- Comment #4 from Kevin A. McGrail <[email protected]> --- (In reply to linda w from comment #3) > If you are going to test for it and claim There is functionality in the AWL > allowing the user to specify a file_mode so the test needs to stay. > > I'm pointing out that this can pass in your test directory but FAIL > when it is installed on a system, since the permissions on the test directory > can be "cleared" so the test will pass, but any user who has > ACL's on their dir will NOT have this functionality. Agreed. But I think administrators using ACLs know this as a general rule. > The point I'm trying to make is that it isn't just about installing -- that > can be easily worked around -- but that you are providing that test as a > guarantee of some security feature -- and that guarantee CAN'T be guaranteed > on any file system that supports ACL's. But the test fails, correct? Hence saying the functionality isn't appropriate on that system. If the test PASSED, I would agree. > Saying you won't fix a security bug and are claiming the ability to set > file perms on their DB "works" because this test passes when the test > dir usually WON'T be where they have their db's installed, is really not > a good thing to be saying, if you see what I mean. As AWL is a not recommended feature, I believe, and further using a database backend resolves the issue, I am happy to change documentation to reflect that. > Is that really how you want to resolve this? > > I've already worked around the problem for my install, but the test is > bogus, which is why I thought not promising anything might be a better > short term solution. > > Longer term... I don't know if chmod might not override the ACL's > default umask won't), or, at worst -- using chacl to delete or modify > acls if they are detected -- but that is more investigation. > > Short term, it would be best not to give impression of security features > that are broken. What is your recommended fix because if a system administrator is using ACLs, I'm assuming they know the impact it has on umasks and permission bits? -- You are receiving this mail because: You are the assignee for the bug.
