Am 15.04.11 16:14, schrieb Matt Brookings:
-----BEGIN PGP SIGNED MESSAGE-----
On 04/15/2011 09:07 AM, Johannes Weberhofer wrote:
I'm currently doing some packaging work for vpopmail, and have reviewed
the file properties. I have seen, that all files (except vusaged in 5.5)
have the properties set to "-rwx--x--x 1 vpopmail vchkpw". Shouldn't
that be more restrictive? E.g. set to 0750 or even owned by root? In an
older package of mine (it was 5.4.25) I have set it to 0750 root.root,
which did never cause any problems.
You may set the permissions how you like, but there's really nothing
secret contained within the vusaged binary in 5.5. The permissions
you're referring to, which have been kept from 5.4 just because there's
no reason to change them, were there because the binaries statically
linked authentication mechanisms that sometimes had hard-coded
authentication values in them.
5.5 binaries do not statically link against the authentication backend.
In this case, you would be concerned about permissions on the shared
objects used for authentication.
Tools like vadddomain fails when called by a regular user (Error: Can not make
domains directory). I haven't checked for the other tools, but I think no user
except root can use those. So it could be good to change permissions to 0750
root.root. It's a kind of security improvement, too.
You don't see any issues on moving the binaries to /usr/sbin, so you?
Regarding the FHS, I think those binaries should be moved to /usr/sbin.
What do you think?
Regarding the documentation I'd recommend to change the examples to
install vpopmail into /var/lib/vpopmail, following the FHS 2.3 section 5.1.
What examples are you referring to?
I had a look on doc/INSTALL.
Matt Brookings<m...@inter7.com> GnuPG Key FAE0672C
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Weberhofer GmbH, Austria, Vienna