[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #342455

On Fri, Feb 10, 2006 at 04:48:25PM +0000, Ian Jackson wrote:
> > It's also inconsistent over time on many single machines.
> I agree that the current situation is unsatisfactory.  But I think (at
> the moment, at least) that it should be fixed by adopting Bastian's
> code fragments with an appropriate configuration.

I haven't seen any "code fragments" that would fix this; I've only seen
suggestions that a more complicated solution is in the works.

Lacking a concrete, better fix, I think 0660 root:disk permissions
as per Roger Leigh's original patch [0] are the way to go.

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329409;msg=73

> > > For changing the `default' by changing the permissions at device
> > > creation time at the very least introduces a race, where the device
> > > briefly has the default permissions; if the defaults are maximally
> > > restrictive then this is OK.
> > The debian defaults grant permission to an empty group -- one
> > which by default has no users -- this is maximally restrictive.
> This is rather disingenuous.  No-one would be complaining if the disk
> group remained empty.

Huh? The disk group's purpose is to let programs read and write to the disk;
that makes them essentially root-equivalent, but that's by design, it's not
a security flaw.


Attachment: signature.asc
Description: Digital signature

Reply to: