On 8/13/07, Isaac Dupree <[EMAIL PROTECTED]> wrote: > (as far as I know this is a problem with all our Sudo recipes and I > haven't found a way to fix it in the recipe) > > "sudoers" normally must be mode 0440 as well as user 0:group 0. In the > recipe, Resources/Defaults/Settings/sudoers appears with mode 0440, > which is wrong because it means it can't be normally edited _while_ in > the recipe, and which _also_ (with Scripts 1.8.5) doesn't affect the > mode of the installed Resources/Defaults/Settings/sudoers nor > /Programs/Sudo/Settings/sudoers. I don't know what mode I think the > installed Resources/Defaults/Settings/sudoers should be (non-sensitive > 644 or sensitive, 440 - depends if it can/should be customized locally).
The copy in Defaults should never be edited, so I think it should stay with the stricter permissions. > However UpdateSettings (I think that's the relevant script) needs a way > to know what permissions to give to the installed settings-file. Is > there a way already, that I haven't discovered? Something in the Recipe > file? Or do we need to add such a mechanism somehow? I don't know if UpdateSettings honors the permissions in the Default copies. I believe it should. Then it's a matter of keeping things with the right permissions under Defaults. > (Are there _any_ > other Settings files than sudoers, that need particular permissions? I > recall on non-Gobo linuxes, seeing various other non-world-readable > files and directories in /etc. Looking in Gobo, "shadow-" is mode 600, > but the rest of "shadow", "passwd-", ... are world-readable; not sure > what mode they're supposed to be.) I'm far from being an expert in these matters, all help on this is welcome. We should figure out what the correct permissions are and make sure the recipes create them that way. -- Hisham _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
