Re: Gnome negative group permissions

2014-07-08 Thread Kevin Oberman 
On Mon, Jul 7, 2014 at 11:24 AM, Anton Shterenlikht me...@bris.ac.uk
wrote:

 From a daily log:

 Checking negative group permissions:
 55224447 -rw-r--r-x  1 root  wheel  3672 Jun 19 23:55:12 2014
 /usr/local/share/gnome/help/services-admin/nl/legal.xml
 55224448 -rw-r--r-x  1 root  wheel  7330 Jun 19 23:55:12 2014
 /usr/local/share/gnome/help/services-admin/nl/services-admin.xml
 55224604 -rw-r--r-x  1 root  wheel  3672 Jun 19 23:55:13 2014
 /usr/local/share/gnome/help/time-admin/nl/legal.xml
 55224605 -rw-r--r-x  1 root  wheel  6746 Jun 19 23:55:13 2014
 /usr/local/share/gnome/help/time-admin/nl/time-admin.xml

 Are these permissions really intended?
 Or does the port installation have to be fixed?

 Anton


Yes, they are intended. Feel free to google for prior discussions.

There is NOTHING wrong with negative permissions and they are desirable
in many cases. The test for negative permissions was originally added to
periodic/security set to not run by default. in
/etc/defaults/periodic.conf. In 2011 the author, brooks@, changed the
default to YES and everyone running any port that used negative group
permissions started getting these errors.

The change to a default of YES contained no reason for the change, but the
commit message for the test does explain why negative group permissions are
usually not correct.

Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone).  These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.

It's just that there are cases where negative group permissions are
intended and this is such a case. If you don't want to see them, add
daily_status_security_neggrpperm_enable=NO  to /etc/periodic.conf.
-- 
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkober...@gmail.com
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Gnome negative group permissions

2014-07-08 Thread Lowell Gilbert 
Kevin Oberman rkober...@gmail.com writes:

 It's just that there are cases where negative group permissions are
 intended and this is such a case. If you don't want to see them, add
 daily_status_security_neggrpperm_enable=NO  to /etc/periodic.conf.

I added a hack to work around this without disabling the check
completely. Anything wrong with something of this sort?


--- /etc/periodic/security/110.neggrpperm   2014-07-08 14:12:31.0 
-0400
+++ /usr/src/etc/periodic/security/110.neggrpperm   2014-06-03 
19:49:13.0 -0400
@@ -37,26 +37,18 @@
 
 security_daily_compat_var security_status_neggrpperm_enable
 
-
 rc=0
 
 if check_yesno_period security_status_neggrpperm_enable
 then
echo 
echo 'Checking negative group permissions:'
-
-   if [ -z ${security_neggrperm_ignore} ] ; then
-   echo security_neggrperm_ignore not set
-   security_neggrperm_ignore=/nonexistent
-   fi
-
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
n=$(find -sx $MP /dev/null -type f \
\( \( ! -perm +010 -and -perm +001 \) -or \
\( ! -perm +020 -and -perm +002 \) -or \
\( ! -perm +040 -and -perm +004 \) \) \
-   -exec ls -liTd \{\} \+ | grep -v ${security_neggrperm_ignore} | \
-   tee /dev/stderr | wc -l)
+   -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
[ $n -gt 0 ]  rc=1 || rc=0
 fi






___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Gnome negative group permissions

2014-07-07 Thread Anton Shterenlikht 
From a daily log:

Checking negative group permissions:
55224447 -rw-r--r-x  1 root  wheel  3672 Jun 19 23:55:12 2014 
/usr/local/share/gnome/help/services-admin/nl/legal.xml
55224448 -rw-r--r-x  1 root  wheel  7330 Jun 19 23:55:12 2014 
/usr/local/share/gnome/help/services-admin/nl/services-admin.xml
55224604 -rw-r--r-x  1 root  wheel  3672 Jun 19 23:55:13 2014 
/usr/local/share/gnome/help/time-admin/nl/legal.xml
55224605 -rw-r--r-x  1 root  wheel  6746 Jun 19 23:55:13 2014 
/usr/local/share/gnome/help/time-admin/nl/time-admin.xml

Are these permissions really intended?
Or does the port installation have to be fixed?

Anton

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org