[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] Is 'chmod 771' merely silly, yet not harmful?
|
From: |
Greg Chicares |
|
Subject: |
Re: [lmi] Is 'chmod 771' merely silly, yet not harmful? |
|
Date: |
Mon, 17 Feb 2020 23:12:34 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 |
On 2020-02-16 23:37, Vadim Zeitlin wrote:
> On Sun, 16 Feb 2020 21:50:37 +0000 Greg Chicares <address@hidden> wrote:
>
> GC> Invoking 'install_redhat.sh' causes these commands to be executed:
> GC>
> GC> mkdir -p /srv/chroot/"${CHRTNAME}"
> GC> chgrp lmi /srv/chroot/"${CHRTNAME}"
> GC> chmod 2770 /srv/chroot/"${CHRTNAME}"
> GC> umask 0007
>
> I'm curious, what's the reason for using such restrictive umask for the
> "other" users, especially knowing that they aren't supposed to be any?
If I spent an hour reading about coronavirus, and I had a face mask
handy, I might start wearing it. (If I had read just enough, that is,
to be ill informed; with more thorough knowledge, I'd realize that
the main benefit of a face mask is to make an already-infected wearer
less likely to infect others.)
In this case, I read some articles claiming that a default 022 umask
is too liberal, and 027 is more secure. Accordingly, I chose 007 here
instead of 002. But tell me if you'd prefer 002 and I'll make it so.
> GC> which gives /var/chroot.../usr/sbin/policy-rc.d 0771 permissions
> GC> and ownership of root:lmi.
> [...]
> GC> Vadim--Do you agree that this doesn't require any correction?
[...]
> What I don't understand is why can't you just do "chmod 755" on it? Is
> there something obvious I'm missing here? Because this looks like by far
> the simplest way to ensure that no problems happen.
I was trying to decide among the various complex approaches that had
occurred to me, and this simple idea didn't cross my mind. Adopted
in commit 2bfa77a4366.