Hi, It seems we have different permissions for /etc/{g}shadow than fedora. We don't package it as 0000,root,root but rather 0440,root,shadow.
We can then run some tools that need direct access as setgid rather than full blown setuid. I'm not totally convinced of the security benefits here (and I think actually 0440 is buggy for a setgid tool like chage - I'd have thought it would need to be 0660 to actually change the age, but I digress). Is it correct that sysusers should unconditionally impose it's file permissions? Wouldn't it be better to only do the fchmod() if the file has been created by us and just leave it alone if not? That way, if we do something different downstream we can just ship a tmpfiles snippet to ensure it's owned and moded correctly as to our tastes?* Would a patch that implemented such behaviour be welcome? Is there anything I'd need to watch out for (thinking things like checking for the file existing being racy or the like)? Cheers Col * There could even be some magical RPM-esque hack that automatically parses packages for files in /etc and /var and finds any that are owned or modded differently to the overall default and automatically creates tmpfiles snippets that are included in the rpm.... that would be nice. -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel