Re: Gnome negative group permissions
On Mon, Jul 7, 2014 at 11:24 AM, Anton Shterenlikht me...@bris.ac.uk wrote: From a daily log: Checking negative group permissions: 55224447 -rw-r--r-x 1 root wheel 3672 Jun 19 23:55:12 2014 /usr/local/share/gnome/help/services-admin/nl/legal.xml 55224448 -rw-r--r-x 1 root wheel 7330 Jun 19 23:55:12 2014 /usr/local/share/gnome/help/services-admin/nl/services-admin.xml 55224604 -rw-r--r-x 1 root wheel 3672 Jun 19 23:55:13 2014 /usr/local/share/gnome/help/time-admin/nl/legal.xml 55224605 -rw-r--r-x 1 root wheel 6746 Jun 19 23:55:13 2014 /usr/local/share/gnome/help/time-admin/nl/time-admin.xml Are these permissions really intended? Or does the port installation have to be fixed? Anton Yes, they are intended. Feel free to google for prior discussions. There is NOTHING wrong with negative permissions and they are desirable in many cases. The test for negative permissions was originally added to periodic/security set to not run by default. in /etc/defaults/periodic.conf. In 2011 the author, brooks@, changed the default to YES and everyone running any port that used negative group permissions started getting these errors. The change to a default of YES contained no reason for the change, but the commit message for the test does explain why negative group permissions are usually not correct. Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. It's just that there are cases where negative group permissions are intended and this is such a case. If you don't want to see them, add daily_status_security_neggrpperm_enable=NO to /etc/periodic.conf. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Gnome negative group permissions
Kevin Oberman rkober...@gmail.com writes: It's just that there are cases where negative group permissions are intended and this is such a case. If you don't want to see them, add daily_status_security_neggrpperm_enable=NO to /etc/periodic.conf. I added a hack to work around this without disabling the check completely. Anything wrong with something of this sort? --- /etc/periodic/security/110.neggrpperm 2014-07-08 14:12:31.0 -0400 +++ /usr/src/etc/periodic/security/110.neggrpperm 2014-06-03 19:49:13.0 -0400 @@ -37,26 +37,18 @@ security_daily_compat_var security_status_neggrpperm_enable - rc=0 if check_yesno_period security_status_neggrpperm_enable then echo echo 'Checking negative group permissions:' - - if [ -z ${security_neggrperm_ignore} ] ; then - echo security_neggrperm_ignore not set - security_neggrperm_ignore=/nonexistent - fi - MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` n=$(find -sx $MP /dev/null -type f \ \( \( ! -perm +010 -and -perm +001 \) -or \ \( ! -perm +020 -and -perm +002 \) -or \ \( ! -perm +040 -and -perm +004 \) \) \ - -exec ls -liTd \{\} \+ | grep -v ${security_neggrperm_ignore} | \ - tee /dev/stderr | wc -l) + -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) [ $n -gt 0 ] rc=1 || rc=0 fi ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Gnome negative group permissions
From a daily log: Checking negative group permissions: 55224447 -rw-r--r-x 1 root wheel 3672 Jun 19 23:55:12 2014 /usr/local/share/gnome/help/services-admin/nl/legal.xml 55224448 -rw-r--r-x 1 root wheel 7330 Jun 19 23:55:12 2014 /usr/local/share/gnome/help/services-admin/nl/services-admin.xml 55224604 -rw-r--r-x 1 root wheel 3672 Jun 19 23:55:13 2014 /usr/local/share/gnome/help/time-admin/nl/legal.xml 55224605 -rw-r--r-x 1 root wheel 6746 Jun 19 23:55:13 2014 /usr/local/share/gnome/help/time-admin/nl/time-admin.xml Are these permissions really intended? Or does the port installation have to be fixed? Anton ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org