[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
/var/cfengine temporarily set mode 755
|
From: |
David J. Bianco |
|
Subject: |
/var/cfengine temporarily set mode 755 |
|
Date: |
12 Aug 2002 14:25:27 -0400 |
I found a small bug in init.c. Line 87, in the function
CheckWorkDirectories(), contains the following code:
chmod(VLOCKDIR,(mode_t)0755); /* Locks must be immutable to others */
I found that whenever cfagent runs, my /var/cfengine directory is
set to mode 755. My update.conf file restricts this even further
(to 700), so the permissions come back to normal after a few
seconds, but I think that the code above is a bug in that it makes
an assumption about what I want my directory's permissions to be.
It also potentially allows a third party to browse my directory,
at least for a few seconds.
I think the intent was to remove write permission from group and
other, so I think the following code will solve the problem
more easily:
/* find the current permissions for VLOCKDIR, subtract group and other
* write bits, and set new mode to be the result. Do this because
* locks must be immutable to others.
*/
if (stat(VLOCKDIR,&statbuf) == 0) {
chmod(VLOCKDIR, (mode_t) (statbuf.st_mode & 0755));
} else {
chmod(VLOCKDIR,(mode_t)0755);
}
This code actually looks up the current mode for /var/cfengine
and then just subtracts the write bits for group and other.
I have tested this under RedHat Linux 7.3 (intel) but not on
other platforms, though I believe it's pretty portable.
David
--
David J. Bianco, GSEC <address@hidden>
Thomas Jefferson National Accelerator Facility
The views expressed herein are soley those of the author and
not those of SURA/Jefferson Lab or the US DOE.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- /var/cfengine temporarily set mode 755,
David J. Bianco <=