On Mon, Aug 15, 2011 at 05:35:54PM +0100, Colin Watson wrote: > On Mon, Aug 15, 2011 at 04:11:49PM +0100, Roger Leigh wrote: > > Fedora has moved to having /var/lock (now /run/lock) owned by > > root:lock 0775 rather than root:root 01777. This has the advantage > > of making a system directory writable only by root or setgid lock > > programs, rather than the whole world. However, due to the > > potential for privilege escalation¹² it may be desirable to adopt > > what has been done subsequently in Fedora: > > /var/lock root:root 0755 > > /var/lock/lockdev root:lock 0775 > > /var/lock/subsys root:root 0755 > > > > This mail is to discuss these issues: > > > > 1) Addition of a "lock" group as a system group > > > > This is a trivial change but requires approval. > > Would such a system group need to be statically allocated, or could it > be dynamically allocated? (Generally the latter is better if possible, > of course - I haven't had to add a global static group for years, and I > like it that way - but one might wish to consider things like bind > mounts of /run/lock into chroots, which would no longer be > NSS-agnostic.) I was initially thinking that static would be the best approach. But if the general consensus is that /var/lock/lockdev etc. aren't going to be around in the long term, then dynamic would be better-- we can then switch lockdev and other UUCP-style lock users to direct locking and remove it. There is compatibility with ancient UUCP software to consider though, but how important is that? They have had years to switch to using liblockdev. > > Are these any other downsides we need to consider? One issue is the > > existence of badly broken programs³, which make stupid assumptions > > about lockfiles. > > What about programs that need to write lock files which are already > setgid something else? I don't have an example off the top of my head, > but it would surprise me if there were none of these. IIRC Fedora have a setgid lock locking helper for this, which lockdev uses internally. I'd need to check the details on a Fedora VM. IIRC it checks if you have write perms on the device being locked, and so individual programs don't need to be setgid lock unless they are not using liblockdev. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Description: Digital signature