On Fri, Feb 10, 2006 at 04:48:25PM +0000, Ian Jackson wrote: > > It's also inconsistent over time on many single machines. > I agree that the current situation is unsatisfactory. But I think (at > the moment, at least) that it should be fixed by adopting Bastian's > code fragments with an appropriate configuration. I haven't seen any "code fragments" that would fix this; I've only seen suggestions that a more complicated solution is in the works. Lacking a concrete, better fix, I think 0660 root:disk permissions as per Roger Leigh's original patch [0] are the way to go. [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329409;msg=73 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329409;msg=87 > > > For changing the `default' by changing the permissions at device > > > creation time at the very least introduces a race, where the device > > > briefly has the default permissions; if the defaults are maximally > > > restrictive then this is OK. > > The debian defaults grant permission to an empty group -- one > > which by default has no users -- this is maximally restrictive. > This is rather disingenuous. No-one would be complaining if the disk > group remained empty. Huh? The disk group's purpose is to let programs read and write to the disk; that makes them essentially root-equivalent, but that's by design, it's not a security flaw. Cheers, aj
Attachment:
signature.asc
Description: Digital signature