Re: Standard file permissions for /usr/local

[grarpamp]

 Given there is no context as to what these are and belong to the numbers
 below with the symbolic meaning are useless besides saying the system is

Oops, thought I had that noted. They are sort | uniq -c of the
permission column of find -ls.

 Blindly going through installed software with a massively large comb
 chmod -R anything=anything is a bad idea

Bad idea? Not really, I amended my tree as shown. As you can see,
I have about 80k files, 2k dirs and 2k links. All provided by 'packages'.
And out of those, I only need one divergent perm, that being Xorg,
not thousands.
I've no sensitive files there.
I don't need man to go around making catpages.
Nor sticky dirs for games.
Nor Schily's stuff in the bin group.
Or polkit priviledges.
Or whatever else.
As any admin, I know the environment and files, so I'm good with
the comb and pomade.
And it makes linting installs, security checks and other
things simpler if say you find / -perm +0044 and don't
have to wade through say, symlinks set to go+w.
Or have some other install fail because files aren't
writeable.
I amed it to reduce my working sets, and work, with other tools easier.
And to making finding what changes out from under you easier, etc.
No big deal, and not a debate about anyone's equally valid local usage.

Maybe I should rephrase... is there something, or a movement within ports,
to push mass gobs of files towards mode 0444 or 0644? A umask being
set in the build system? An install flag? Or is this just the raw result of
doing everything [1] unmodified umask 0022, tarring up the tbz's, and
putting them on FTP?

[1] Say, patch, ./configure, make, make install, hash +CONTENTS, tarball

My experience with ./configure, make, make install of original
upstream software releases, is that I think the majority of things
end up as I've amended, without the amending.

So I just wondered if there's a push in ports somewhere.

 Do you have anything relevant as to a particular port or package ?

This was a stats analysis, so particulars do not apply.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Standard file permissions for /usr/local

[grarpamp]

Given a /usr/local populated only by ports (more specifically,
packages), we have the following stats...

/usr/local

54378 -r--r--r--
   1 -r-sr-xr-x
1505 -r-xr-xr-x
21790 -rw-r--r--
   9 -rw-rw-r--
   1 -rws--x--x
   1 -rwsr-x---
   1 -rwsr-xr--
   4 -rwsr-xr-x
   4 -rwxr-sr-x
3515 -rwxr-xr-x
   1 drwx--
6064 drwxr-xr-x
   1 drwxrwsr-x
1638 lrwxr-xr-x
   1 lrwxrwxrwx

For /usr, we have...

24907 -r--r--r--
   4 -r-sr-sr-x
   3 -r-sr-x---
  24 -r-sr-xr-x
   8 -r-xr-sr-x
 786 -r-xr-xr-x
   2 -rw---
   8 -rw-r--r--
   1 -rwxr-xr-x
1284 drwxr-xr-x
   1 drwxrwxrwt
 947 lrwxr-xr-x
  34 lrwxrwxrwx

Am I to, or should I, believe that there is some standard or preference
such that files should not have mode u+w?

Let's take a look at etc' s 'configurables area' too...

/usr/local/etc

 198 -r--r--r--
  19 -r-xr-xr-x
  40 -rw-r--r--
   1 drwx--
  77 drwxr-xr-x
  16 lrwxr-xr-x

/etc

  25 -r--r--r--
   1 -r-x--
 153 -r-xr-xr-x
  20 -rw---
   1 -rw-r-
 121 -rw-r--r--
   1 -rw-rw-r--
   6 -rwx--
  57 -rwxr-xr-x
   2 drwx--
  25 drwxr-xr-x
   3 lrwxr-xr-x
   4 lrwxrwxrwx

Now see that I have amended my /usr/local perms after install such that
root can more easily manage that tree. (I could have just as easily conformed
it to u-w).

76179 -rw-r--r--
   1 -rwsr-xr-x
5029 -rwxr-xr-x
6066 drwxr-xr-x
1639 lrwxr-xr-x

I don't see the point in making things mode u-w?
'Security' cannot be the case, as even setting dirs u-w, schg, capabilities,
read-only mount, etc will make no difference... for root, it's only annoying for
a moment.

What standard / guide am I missing that says u-w is the way (for at least
the large majority of the files in the first two counts above)?
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Standard file permissions for /usr/local

[Chris Rees]

On Jul 7, 2012 11:02 PM, grarpamp grarp...@gmail.com wrote:

 Given a /usr/local populated only by ports (more specifically,
 packages), we have the following stats...

 /usr/local

 54378 -r--r--r--
1 -r-sr-xr-x
 1505 -r-xr-xr-x
 21790 -rw-r--r--
9 -rw-rw-r--
1 -rws--x--x
1 -rwsr-x---
1 -rwsr-xr--
4 -rwsr-xr-x
4 -rwxr-sr-x
 3515 -rwxr-xr-x
1 drwx--
 6064 drwxr-xr-x
1 drwxrwsr-x
 1638 lrwxr-xr-x
1 lrwxrwxrwx

 For /usr, we have...

 24907 -r--r--r--
4 -r-sr-sr-x
3 -r-sr-x---
   24 -r-sr-xr-x
8 -r-xr-sr-x
  786 -r-xr-xr-x
2 -rw---
8 -rw-r--r--
1 -rwxr-xr-x
 1284 drwxr-xr-x
1 drwxrwxrwt
  947 lrwxr-xr-x
   34 lrwxrwxrwx

 Am I to, or should I, believe that there is some standard or preference
 such that files should not have mode u+w?

 Let's take a look at etc' s 'configurables area' too...

 /usr/local/etc

  198 -r--r--r--
   19 -r-xr-xr-x
   40 -rw-r--r--
1 drwx--
   77 drwxr-xr-x
   16 lrwxr-xr-x

 /etc

   25 -r--r--r--
1 -r-x--
  153 -r-xr-xr-x
   20 -rw---
1 -rw-r-
  121 -rw-r--r--
1 -rw-rw-r--
6 -rwx--
   57 -rwxr-xr-x
2 drwx--
   25 drwxr-xr-x
3 lrwxr-xr-x
4 lrwxrwxrwx

 Now see that I have amended my /usr/local perms after install such that
 root can more easily manage that tree. (I could have just as easily
conformed
 it to u-w).

 76179 -rw-r--r--
1 -rwsr-xr-x
 5029 -rwxr-xr-x
 6066 drwxr-xr-x
 1639 lrwxr-xr-x

 I don't see the point in making things mode u-w?
 'Security' cannot be the case, as even setting dirs u-w, schg,
capabilities,
 read-only mount, etc will make no difference... for root, it's only
annoying for
 a moment.

 What standard / guide am I missing that says u-w is the way (for at least
 the large majority of the files in the first two counts above)?

It's pointless having most files u+w, since they won't be edited, but
soonish I'm told that http://bugs.freebsd.org/157168 should be committed,
which will make conf files u+w.

Chris
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Standard file permissions for /usr/local

[grarpamp]

 It's pointless having most files u+w, since they won't be edited

I suggest that for various management purposes, it is not pointless,
and if not u+w, it's otherwise annoying.

drwxr-xr-x  10 root  wheel  512 Jul  7 18:43 .
-r--r--r--  1 root  wheel  0 Jul  7 18:43 1
-r--r--r--  1 root  wheel  0 Jul  7 18:43 2
/bin/cp 1 2
cp: 2: Permission denied

I 'fixed' my tree,  so not that I care, just curious as to what standard
or non nonsecurity rationale I may be missing.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Standard file permissions for /usr/local

[Jason Hellenthal]

In this whole thread I don't any relation as to what perms are on what
directory ... which inherently makes the whole point mud.

What is actually trying to be accomplished here?

Given there is no context as to what these are and belong to the numbers
below with the symbolic meaning are useless besides saying the system is
being populated and things are different.

Also having a standard for file permissions is nearly irrelevent with
the exceptions to specific areas of the filesytem like documents can
easily be said needing to be 'a=rX' /usr/local/share/doc ... examples
etc.

Blindly going through installed software with a massively large comb
chmod -R anything=anything is a bad idea. packages and ports need to
be singly identified and looked at more closely as to whether they are
doing the right thing.

Do you have anything relevant as to a particular port or package ?

On Sat, Jul 07, 2012 at 11:39:24PM +0100, Chris Rees wrote:
 On Jul 7, 2012 11:02 PM, grarpamp grarp...@gmail.com wrote:
 
  Given a /usr/local populated only by ports (more specifically,
  packages), we have the following stats...
 
  /usr/local
 
  54378 -r--r--r--
 1 -r-sr-xr-x
  1505 -r-xr-xr-x
  21790 -rw-r--r--
 9 -rw-rw-r--
 1 -rws--x--x
 1 -rwsr-x---
 1 -rwsr-xr--
 4 -rwsr-xr-x
 4 -rwxr-sr-x
  3515 -rwxr-xr-x
 1 drwx--
  6064 drwxr-xr-x
 1 drwxrwsr-x
  1638 lrwxr-xr-x
 1 lrwxrwxrwx
 
  For /usr, we have...
 
  24907 -r--r--r--
 4 -r-sr-sr-x
 3 -r-sr-x---
24 -r-sr-xr-x
 8 -r-xr-sr-x
   786 -r-xr-xr-x
 2 -rw---
 8 -rw-r--r--
 1 -rwxr-xr-x
  1284 drwxr-xr-x
 1 drwxrwxrwt
   947 lrwxr-xr-x
34 lrwxrwxrwx
 
  Am I to, or should I, believe that there is some standard or preference
  such that files should not have mode u+w?
 
  Let's take a look at etc' s 'configurables area' too...
 
  /usr/local/etc
 
   198 -r--r--r--
19 -r-xr-xr-x
40 -rw-r--r--
 1 drwx--
77 drwxr-xr-x
16 lrwxr-xr-x
 
  /etc
 
25 -r--r--r--
 1 -r-x--
   153 -r-xr-xr-x
20 -rw---
 1 -rw-r-
   121 -rw-r--r--
 1 -rw-rw-r--
 6 -rwx--
57 -rwxr-xr-x
 2 drwx--
25 drwxr-xr-x
 3 lrwxr-xr-x
 4 lrwxrwxrwx
 
  Now see that I have amended my /usr/local perms after install such that
  root can more easily manage that tree. (I could have just as easily
 conformed
  it to u-w).
 
  76179 -rw-r--r--
 1 -rwsr-xr-x
  5029 -rwxr-xr-x
  6066 drwxr-xr-x
  1639 lrwxr-xr-x
 
  I don't see the point in making things mode u-w?
  'Security' cannot be the case, as even setting dirs u-w, schg,
 capabilities,
  read-only mount, etc will make no difference... for root, it's only
 annoying for
  a moment.
 
  What standard / guide am I missing that says u-w is the way (for at least
  the large majority of the files in the first two counts above)?
 
 It's pointless having most files u+w, since they won't be edited, but
 soonish I'm told that http://bugs.freebsd.org/157168 should be committed,
 which will make conf files u+w.
 

-- 

 - (2^(N-1))


pgpxHtXHndvge.pgp
Description: PGP signature