Re: Introduction of a "lock" group
On Mon, Aug 15, 2011 at 04:11:49PM +0100, Roger Leigh wrote:
> Fedora has moved to having /var/lock (now /run/lock) owned by
> root:lock 0775 rather than root:root 01777. This has the advantage
> of making a system directory writable only by root or setgid lock
> programs, rather than the whole world. However, due to the
> potential for privilege escalation¹² it may be desirable to adopt
> what has been done subsequently in Fedora:
> /var/lock root:root 0755
> /var/lock/lockdev root:lock 0775
> /var/lock/subsys root:root 0755
>
> This mail is to discuss these issues:
>
> 1) Addition of a "lock" group as a system group
>
> This is a trivial change but requires approval.
Would such a system group need to be statically allocated, or could it
be dynamically allocated? (Generally the latter is better if possible,
of course - I haven't had to add a global static group for years, and I
like it that way - but one might wish to consider things like bind
mounts of /run/lock into chroots, which would no longer be
NSS-agnostic.)
> Are these any other downsides we need to consider? One issue is the
> existence of badly broken programs³, which make stupid assumptions
> about lockfiles.
What about programs that need to write lock files which are already
setgid something else? I don't have an example off the top of my head,
but it would surprise me if there were none of these.
--
Colin Watson [cjwatson@debian.org]
Reply to: