Ian Jackson writes:
Well, how hard is it to compile out ? It's not the most awful thing
that could happen to a program to have this unnecessary check, but I
do think it will add confusion.
It's not that difficult. I'll take care of it when I release a new version.
Michael
--
Michael Meskes
Michael Meskes writes (Re: Bug#4051: access permissions for /usr/bin/fdmount):
Ian Jackson writes:
...
Err, I strongly suggest that you compile the group check out of the
executable. This is only likely to lead to confusion.
I think I understand what you mean. But is it really that bad
Ian Jackson writes:
It should be 4754 - there's no point in stopping people reading it.
(I've been saying 4754 all along, and this is what is in the policy
manual.)
Oops, I thought that was a typo :-)
Err, I strongly suggest that you compile the group check out of the
executable. This is
Michael Meskes writes (Re: Bug#4051: access permissions for /usr/bin/fdmount):
...
I have no problem with it being mode 4750 again.
It should be 4754 - there's no point in stopping people reading it.
(I've been saying 4754 all along, and this is what is in the policy
manual.)
...
No problem
Ian Jackson writes:
Obviously if you've done it right having the binary check itself
whether rgid or getgroups includes `floppy' and having it only
executable by group floppy have the same security effect.
Yes, it checks getgroups.
However, there are other differences: having the permissions
Michael Meskes writes (Re: Bug#4051: access permissions for /usr/bin/fdmount):
Ian Jackson writes:
...
Compiling names of groups or even worse group ids into binaries is a
bad idea.
Why? Because it's not easy to change?
It's hard to change and obscure. Policy is best implemented where
Ian Jackson writes:
Damn, it looks like my comment
Before anyone changes anything, please read the appropriate part of
the new policy manual.
went unheeded. I see that the change that Daniel Quinlan requested
Oops.
has been made. It's a shame that I didn't get around to writing this
to the situation sooner.
Daniel Quinlan writes (Re: Bug#4051: access permissions for /usr/bin/fdmount):
...
Michael Meskes [EMAIL PROTECTED] writes:
I agree that the installation is not correct, but I doubt mode 4755
is a solution. I for one don't like the idea that everyone is able
to access my floppy
Daniel Quinlan writes:
Use geteuid(2) and/or use a configuration file that says who has
access. Using permissions alone to dictate who has access to
*running* the binary is bad, IMHO, and I think the Debian package
guidelines agree (unless they've been changed). Even worse, it's a
`4750'
Daniel Quinlan writes:
Package: fdutils
Version: 4.3-3
/usr/bin/fdmount should be mode 4755, not 4750.
Michael Meskes [EMAIL PROTECTED] writes:
I agree that the installation is not correct, but I doubt mode 4755
is a solution. I for one don't like the idea that everyone is able
to
Package: fdutils
Version: 4.3-3
/usr/bin/fdmount should be mode 4755, not 4750.
11 matches
Mail list logo