Bug#606844: rrdcached: default UNIX socket permision should be changed.
forwarded 606844 rrd-develop...@lists.oetiker.ch thanks Hi, On Sun, Dec 12, 2010 at 11:14:58AM +0100, Witold Baryluk wrote: Strange, but when I start rrdcached with default debian options, i have # ls -l /var/run/rrdcached.sock -l srwxr-xr-x 1 root root 0 12-12 10:51 /var/run/rrdcached.sock # but when I add -s adm at th begining of options, i have # ls -l /var/run/rrdcached.sock -l srwxrw 1 root adm 0 12-12 10:52 /var/run/rrdcached.sock # Shouldn't socket also in default mode also use 760 or 770 ? Isn't default mode somehow unsecure *755 !? Yeah, this should be more consistent. Anyway, a few things to note: - changing the behavior would be a backward incompatible change - some operating systems don't care about file permissions of a UNIX socket (however, Linux does take them into account) - I'm not sure what the best behavior would be; I don't consider 755 insecure for most use-cases, so that could still be a good default Anyway, once a solution has been agreed upon, a fix will be easy. Currently, rrdcached calls chmod only if -s was specified on the command line: chmod(path, (S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IWGRP) That is, by default, you get permissions based on your umask and 770 else. Forwarding this upstream for further input. Cheers, Sebastian -- Sebastian tokkee Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin signature.asc Description: Digital signature
Bug#606844: rrdcached: default UNIX socket permision should be changed.
Package: rrdcached Version: 1.4.3-1 Severity: normal Hi. Strange, but when I start rrdcached with default debian options, i have # ls -l /var/run/rrdcached.sock -l srwxr-xr-x 1 root root 0 12-12 10:51 /var/run/rrdcached.sock # but when I add -s adm at th begining of options, i have # ls -l /var/run/rrdcached.sock -l srwxrw 1 root adm 0 12-12 10:52 /var/run/rrdcached.sock # Shouldn't socket also in default mode also use 760 or 770 ? Isn't default mode somehow unsecure *755 !? Thanks. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.37-rc4-sredniczarny-11361-g11e8896 (SMP w/1 CPU core; PREEMPT) Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL set to pl_PL.utf8) Shell: /bin/sh linked to /bin/dash Versions of packages rrdcached depends on: ii libc62.11.2-7Embedded GNU C Library: Shared lib ii libcairo21.8.10-6The Cairo 2D vector graphics libra ii libdbi0 0.8.3+really0.8.2-1 Database Independent Abstraction L ii libglib2.0-0 2.24.2-1The GLib library of C routines ii libpango1.0-01.28.3-1Layout and rendering of internatio ii libpng12-0 1.2.44-1PNG library - runtime ii librrd4 1.4.3-1 time-series data storage and displ ii libxml2 2.7.8.dfsg-1GNOME XML library rrdcached recommends no packages. rrdcached suggests no packages. -- Configuration Files: /etc/default/rrdcached changed: DISABLE=0 OPTS=-s adm $OPTS -w 1800 MAXWAIT=30 ENABLE_COREFILES=0 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
