Tom Mueller wrote:
Shawn Walker wrote:
Tom Mueller (plain-text) wrote:
pkg(1) now prints a message and returns 1. However, for a user image
where the user is unable to change the ownership of a file anyway,
not having the required user/group is ignored.
I don't agree with the assumption that a user image automatically
implies that a user doesn't have the permissions to change ownership
of a file.
With the change, the Image class has a "can_change_file_ownership"
method that tests to see if the user running the command actually has
the ability to change file ownership within the image. This test is
only done for non-ENTIRE images. Only if it is a non-ENTIRE image AND
the user cannot change file ownership of a temporary file are invalid
owner/group tags ignored.
AFAIK, I'm not making the assumption that you don't agree with.
While you aren't making that assumption the test you are making isn't
completely reliable in all cases on all platforms.
The issue is that you can't actually assume that because you managed to
do a chown of a temp file you created you can do that to any future file
in that image directory tree.
I also really don't like the idea of chowning a file to st_uid + 1 - if
feels icky, and worse the failure will raise audit records that look
really suspect if auditing is turned on.
On a system running FLASK/FMAC (aka SE Linux) chown could be constrained
so that I could do the chown to the users that I need to yet the "st_uid
+ 1" trick would have failed. While that is SE Linux only just now
FMAC is being ported to OpenSolaris too -
http://opensolaris.org/os/project/fmac/
For example you rules like "bob can chown to alice and carl, but can't
chgrp out of his supplementary groups" are possible in an FMAC config.
Your test would likely not catch that. Not currently possible to
easily configure this on OpenSolaris today but with FMAC it is trivial
(well modulo FMAC's own rule complexity issues).
An improvement would be to check if you can chown and chgrp files to
those the plan actually needs - while that still isn't perfect it would
require a pretty tight FMAC configuration to trip that up.
--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
