[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

/var/cfengine temporarily set mode 755

From: David J. Bianco
Subject: /var/cfengine temporarily set mode 755
Date: 12 Aug 2002 14:25:27 -0400

I found a small bug in init.c.  Line 87, in the function 
CheckWorkDirectories(), contains the following code:

chmod(VLOCKDIR,(mode_t)0755); /* Locks must be immutable to others */

I found that whenever cfagent runs, my /var/cfengine directory is
set to mode 755.  My update.conf file restricts this even further
(to 700), so the permissions come back to normal after a few
seconds, but I think that the code above is a bug in that it makes
an assumption about what I want my directory's permissions to be.
It also potentially allows a third party to browse my directory,
at least for a few seconds.

I think the intent was to remove write permission from group and
other, so I think the following code will solve the problem
more easily:

/* find the current permissions for VLOCKDIR, subtract group and other
 * write bits, and set new mode to be the result.  Do this because
 * locks must be immutable to others.
 if (stat(VLOCKDIR,&statbuf) == 0) {
   chmod(VLOCKDIR, (mode_t) (statbuf.st_mode & 0755));
 } else {
This code actually looks up the current mode for /var/cfengine
and then just subtracts the write bits for group and other.  
I have tested this under RedHat Linux 7.3 (intel) but not on
other platforms, though I believe it's pretty portable.


David J. Bianco, GSEC           <address@hidden>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]