[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Configuration files in /usr/etc

[Please don't CC me when replying to the list.  Thanks.]

I wrote:
> > A big advantage I see is that this could (partially) remove the need
> > for the sysadmin to alter config-files.  Do as the menu package does,
> > and put the package-supplied config files in one place (/usr/etc
> > possibly), site-wide custom configs somewhere else (under
> > /usr/local/etc ?), and machine-local configs under /etc, as normal.
> > And users would be able to add more directories to their CONFIG_PATH,
> > like $HOME/.etc, getting per-user config files for free.

Yann Dirson <dwitch@bylbo.debian.novare.net> wrote:
>Yes, but No. Not this way, at least; allowing users to tell the system
>where to find conffiles would potentially create *huge* security
>holes, or prevent many critical programs to be run suid. 

Hmm...  You're right.  It would be good for user programs without
security implications to be as configurable as possible by the user,
but any suid program that used this method of finding configuration
files would have to take the same kinds of precautions as a suid
program that used PATH to search for executables, like a shell script
run as root.  For example, doctoring the CONFIG_PATH before searching,
or using a minimal built-in path.

In any case, if this path-searching config file finder is in the
library, it's not -required- for any particular program to use it (just
strongly recommended).  If it's not appropriate for a particular
program, it shouldn't be used.  OTOH, it could serve as a model for how
any other program should be configured.

To give us something substantial to debate/argue over, I'll try writing
a first draft of this function and some documentation for it this
weekend.  I'll post it here for criticism, hopefully Monday.

--Charles Briscoe-Smith
White pages entry, with PGP key: <URL:http://alethea.ukc.ac.uk/wp?95cpb4>
PGP public keyprint: 74 68 AB 2E 1C 60 22 94  B8 21 2D 01 DE 66 13 E2

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: