Re: [Dspam-user] Directory permissions...

Nathanael D. Noblet Mon, 07 Dec 2009 20:12:00 -0800

On 12/07/2009 04:27 PM, Stevan Bajić wrote:
> On Mon, 07 Dec 2009 11:47:46 -0700
> "Nathanael D. Noblet"<[email protected]>  wrote:
>
>> Hello,
>>
>>     Working on the dspam rpm for fedora,
>>
> Still? They still have not accepted the submission?
>
>
>> and I'm wondering if these
>> directory permissions are really required...
>>
>> dspam.x86_64: E: non-standard-dir-perm /var/lib/dspam 0770
>>
> What is non-standard about 770?
>
>
>> dspam.x86_64: E: non-standard-dir-perm /var/run/dspam 02511
>>
>> Couldn't they both be the standard 0755?
>>
> I don't think so. But it all depends what you want to do.
>
> In /var/lib/dspam is probably your DSPAM_HOME. Not protecting that against 
> world is pretty insane. Or do you want to tell me that in Fedora 
> /var/lib/mysql, /var/lib/postfix, /var/lib/dovecot, etc all have 755? Really?


Yup... There are exceptions, however they need to be justified, it has 
been sooo long since I played with the dspam internals. I don't remember 
all it needed to be able to do.

[g...@iridium ~]$ ls -l /var/lib/
total 220
drwxr-xr-x.  2 root       root       4096 2009-12-07 14:56 alternatives
drwxr-x---.  2 asterisk   asterisk   4096 2009-11-19 09:06 asterisk
drwx------.  3 root       root       4096 2009-11-11 13:21 authconfig
drwxr-xr-x.  4 torrent    torrent    4096 2009-07-24 17:10 bittorrent
drwxr-xr-x.  2 root       root       4096 2009-11-16 03:14 bluetooth
drw-------+  5 root       root       4096 2009-07-24 20:10 certmaster
drwxr-xr-x.  2 clamupdate clamupdate 4096 2009-12-07 19:06 clamav
drwxr-xr-x.  2 root       root       4096 2009-07-24 23:06 cs
drwx------.  2 apache     apache     4096 2009-10-27 13:16 dav
drwxr-xr-x.  2 root       root       4096 2009-10-07 17:04 dbus
drwxr-xr-x.  2 root       root       4096 2009-10-30 04:10 dhclient
drwxr-xr-x.  3 root       root       4096 2009-07-25 01:53 dirmngr
drwxr-xr-x.  2 root       root       4096 2009-10-05 04:31 dnsmasq
drwxr-xr-x.  2 root       root       4096 2009-07-25 12:44 fprint
drwxr-xr-x+  2 root       root       4096 2009-07-25 13:52 func
drwxr-xr-x.  3 root       root       4096 2009-11-03 16:23 games
drwxrwx--T. 10 gdm        gdm        4096 2009-12-02 13:34 gdm
drwxr-xr-x.  2 root       root       4096 2009-08-21 08:09 htdig
drwxr-x---. 16 cyrus      mail       4096 2009-12-04 05:38 imap
drwxr-xr-x.  2 root       root       4096 2009-11-06 10:08 misc
drwxr-x---.  2 root       slocate    4096 2009-12-07 03:07 mlocate
drwxrwsr-x.  4 root       mock       4096 2009-12-01 09:37 mock
drwxr-xr-x. 34 mysql      mysql      4096 2009-12-02 13:34 mysql
drwxr-xr-x.  2 root       root       4096 2009-09-29 04:23 net-snmp
drwxr-xr-x.  5 root       root       4096 2009-11-19 09:29 nfs
drwxr-xr-x.  2 ntp        ntp        4096 2009-12-07 20:34 ntp
drwxr-xr-x.  2 root       root       4096 2009-12-07 14:57 PackageKit
drwxr-xr-x.  3 root       root       4096 2009-11-20 10:55 php
drwxr-xr-x.  2 root       root       4096 2009-11-10 13:23 plymouth
drwxrwx---.  2 root       polkituser 4096 2009-10-24 19:45 PolicyKit
drwx------.  3 root       root       4096 2009-10-20 07:44 polkit-1
drwx------.  2 postfix    root       4096 2009-09-16 07:37 postfix
drwx------.  2 pulse      pulse      4096 2009-11-22 21:50 pulse
-rw-------.  1 root       root        512 2009-12-02 13:34 random-seed
drwxr-xr-x.  2 root       root       4096 2009-10-13 04:24 readahead
drwx------.  2 rpc        rpc        4096 2009-07-28 12:18 rpcbind
drwxr-xr-x.  2 root       root       4096 2009-12-03 12:47 rpm
drwxr-xr-x.  7 root       root       4096 2009-11-11 18:44 samba
drwxr-xr-x.  2 root       root       4096 2009-11-11 14:59 selinux
drwxr-xr-x.  2 root       root       4096 2009-11-21 16:41 sepolgen
drwxr-xr-x.  4 root       root       4096 2009-10-27 14:25 stateless
drwxr-xr-x.  7 root       root       4096 2009-11-09 15:30 texmf
drwxr-xr-x.  3 root       root       4096 2009-11-11 06:15 udev
drwxr-xr-x.  2 webalizer  root       4096 2009-12-07 03:06 webalizer
drwxr-xr-x.  2 root       root       4096 2009-08-03 12:48 xdm
drwxr-xr-x.  2 root       root       4096 2009-12-02 13:34 xkb
drwxr-xr-x.  4 root       root       4096 2009-12-07 14:57 yum

>
> What do you have under /var/run/dspam? Just the daemon socket? Or anything 
> else? That suid is normally not needed. But I need to know what you have 
> installed in /var/run/dspam to be able to say a final word.

Could you tell me when it would be needed, and I can see if that should 
be the 'common' fedora case. If it isn't common then I'll not set it 
suid, and if someone needs to change their config for that case they can 
do so. Making something setuid manually at least informs the user of the 
fact that it will be running 'differently' as opposed to by default 
running with higher privileges.

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Dspam-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspam-user

Re: [Dspam-user] Directory permissions...

Reply via email to