On Mon, Aug 15, 2011 at 04:11:49PM +0100, Roger Leigh wrote: > Hi folks, > > Fedora has moved to having /var/lock (now /run/lock) owned by > root:lock 0775 rather than root:root 01777. This has the advantage > of making a system directory writable only by root or setgid lock > programs, rather than the whole world. However, due to the > potential for privilege escalation¹² it may be desirable to adopt > what has been done subsequently in Fedora: > /var/lock root:root 0755 > /var/lock/lockdev root:lock 0775 > /var/lock/subsys root:root 0755 Hi, If /var/lock won't be 1777 anymore, where should then applications store application-specific lock files (e.g. synchronisation between daemons) if they can't/won't run as setgid lock? Is the intention that the init script creates a /var/lock/$NAME directory, chgrp's it to the right GIDs and only then start the daemons? thanks, iustin
Attachment:
signature.asc
Description: Digital signature