[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package install location for 0700 Directories

So "0700" is used to make a folder visible to the public like on file server?

On Mon, Feb 11, 2013 at 4:51 PM, Vincent Danjean <vdanjean.ml@free.fr> wrote:
Le 11/02/2013 19:05, Russ Allbery a écrit :
> Charles Williams <chuck@itadmins.net> writes:
>> However, I still have 1 problem. This package controls entire clusters
>> (corosync, pacemaker, et al) and thus is designed with directory rights
>> of 0700 for user hacluster (user used to run corosync). The problem is
>> that 0700 directories are against policy in /usr/share. However,
>> lighttpd is the delivery agent for the package and such apps (phpmyadmin
>> and other web gui's) are usually installed in /usr/share. If I set the
>> directories at 755 then there is the possibility that any service/script
>> could execute files in the directory and thus control the cluster.
> Er, why could anyone executing the scripts be able to control the cluster?
> That implies that there are authentication credentials embedded in the
> scripts, which is a bad design.

Moreover, in this case, directory 0700 are not a protection: it is easy
for a user to download the (source or binary) package and to compile or
unpack it in its HOME. So, if running programs of a Debian package allows
to take over the control of a cluster (without requiring credentials
from somewhere else), there is a fundamental security design problem.

Vincent Danjean       GPG key ID 0x9D025E87         vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main

To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 511967C7.1030703@free.fr" target="_blank">http://lists.debian.org/[🔎] 511967C7.1030703@free.fr

Reply to: