Re: Bug#4051: access permissions for /usr/bin/fdmount

Ian Jackson writes: Well, how hard is it to compile out ? It's not the most awful thing that could happen to a program to have this unnecessary check, but I do think it will add confusion. It's not that difficult. I'll take care of it when I release a new version. Michael -- Michael Meskes

Re: Bug#4051: access permissions for /usr/bin/fdmount

Michael Meskes writes (Re: Bug#4051: access permissions for /usr/bin/fdmount): Ian Jackson writes: ... Err, I strongly suggest that you compile the group check out of the executable. This is only likely to lead to confusion. I think I understand what you mean. But is it really that bad

Re: Bug#4051: access permissions for /usr/bin/fdmount

Ian Jackson writes: It should be 4754 - there's no point in stopping people reading it. (I've been saying 4754 all along, and this is what is in the policy manual.) Oops, I thought that was a typo :-) Err, I strongly suggest that you compile the group check out of the executable. This is

Re: Bug#4051: access permissions for /usr/bin/fdmount

Michael Meskes writes (Re: Bug#4051: access permissions for /usr/bin/fdmount): ... I have no problem with it being mode 4750 again. It should be 4754 - there's no point in stopping people reading it. (I've been saying 4754 all along, and this is what is in the policy manual.) ... No problem

Re: Bug#4051: access permissions for /usr/bin/fdmount

Ian Jackson writes: Obviously if you've done it right having the binary check itself whether rgid or getgroups includes `floppy' and having it only executable by group floppy have the same security effect. Yes, it checks getgroups. However, there are other differences: having the permissions

Re: Bug#4051: access permissions for /usr/bin/fdmount

Michael Meskes writes (Re: Bug#4051: access permissions for /usr/bin/fdmount): Ian Jackson writes: ... Compiling names of groups or even worse group ids into binaries is a bad idea. Why? Because it's not easy to change? It's hard to change and obscure. Policy is best implemented where

Re: Bug#4051: access permissions for /usr/bin/fdmount

Ian Jackson writes: Damn, it looks like my comment Before anyone changes anything, please read the appropriate part of the new policy manual. went unheeded. I see that the change that Daniel Quinlan requested Oops. has been made. It's a shame that I didn't get around to writing this

Bug#4051: access permissions for /usr/bin/fdmount

to the situation sooner. Daniel Quinlan writes (Re: Bug#4051: access permissions for /usr/bin/fdmount): ... Michael Meskes [EMAIL PROTECTED] writes: I agree that the installation is not correct, but I doubt mode 4755 is a solution. I for one don't like the idea that everyone is able to access my floppy

Bug#4051: access permissions for /usr/bin/fdmount

Daniel Quinlan writes: Use geteuid(2) and/or use a configuration file that says who has access. Using permissions alone to dictate who has access to *running* the binary is bad, IMHO, and I think the Debian package guidelines agree (unless they've been changed). Even worse, it's a `4750'

Re: Bug#4051: access permissions for /usr/bin/fdmount

Daniel Quinlan writes: Package: fdutils Version: 4.3-3 /usr/bin/fdmount should be mode 4755, not 4750. Michael Meskes [EMAIL PROTECTED] writes: I agree that the installation is not correct, but I doubt mode 4755 is a solution. I for one don't like the idea that everyone is able to

Bug#4051: access permissions for /usr/bin/fdmount

Package: fdutils Version: 4.3-3 /usr/bin/fdmount should be mode 4755, not 4750.