Re: [Debian-med-packaging] Bug#924128: prokka: creates world writable directory tree /var/lib/prokka/*
- To: debian-med <firstname.lastname@example.org>
- Subject: Re: [Debian-med-packaging] Bug#924128: prokka: creates world writable directory tree /var/lib/prokka/*
- From: Olivier Sallou <email@example.com>
- Date: Tue, 10 Dec 2019 07:46:29 +0100 (CET)
- Message-id: <[🔎] 2132215188.25964253.1575960389306.JavaMail.firstname.lastname@example.org>
- In-reply-to: <20191209193505.GE22950@an3as.eu>
- References: <email@example.com> <CAD=Wrc+15qhK4m_MoadofCm9RWA4T_RXmoeiw3sb69eUCbR5tg@mail.gmail.com> <20191209193505.GE22950@an3as.eu>
----- Andreas Tille <firstname.lastname@example.org> a écrit :
> On Mon, Dec 09, 2019 at 05:18:37PM 0100, Michael Crusoe wrote:
> > On Sat, 9 Mar 2019 23:26:01 +0100 Andreas Tille <email@example.com> wrote:
> > > Control: severity -1 normal
> > >
> > > On Sat, Mar 09, 2019 at 08:24:46PM +0100, Andreas Beckmann wrote:
> > > >
> > > > during a test with piuparts I noticed your package creates a world
> > > > writable directory tree.
> > > >
> > > > >From the attached log (scroll to the bottom...):
> > > >
> > > > 0m49.9s ERROR: Command failed (status=1): ['chroot',
> > '/srv/piuparts/tmp/tmpLm6y7M',
> > 'tmp/scripts/pre_remove_50_find_bad_permissions']
> > > > ERROR: BAD PERMISSIONS
> > > > drwxrwxrwx 3 root root 60 Mar 5 02:46 /var/lib/prokka
> > > > drwxrwxrwx 4 root root 80 Mar 5 02:46 /var/lib/prokka/db
> > > > drwxrwxrwx 2 root root 260 Mar 5 02:46 /var/lib/prokka/db/cm
> > > > drwxrwxrwx 2 root root 580 Mar 5 02:46 /var/lib/prokka/db/genus
> > >
> > > I actually did some effort to make this dir world writable since users
> > > *need* to write and update these databases. Do your have any suggestion
> > > for a better approach which enables every user to update a common
> > > database? I was wondering whether I should create a group prokka and
> > > making the dir only writable for users belonging to this group. But for
> > > a first packaging attempt testing user responses this seemed to be over
> > > enginering. There is also some work done at upstream to enable a better
> > > solution for user writable databases.
> > Is making a "prokka" group to own this directory the only option?
Can't location be specified at runtime?
If yes, either user is root and there is no pb, either he should copy var/lib/prokka to a writable dir and specify location at runtime.
For a multi user env, it would be weird for a tool to allow anyone on server to modify a central db.
Creating a group may not be enough. For reading, ok, but to modify a file (db) created by an other user, it depends on software, if filebus created in mode 77x ou 75x. If file is created in 75x even bein in group will not allow for modification
> I do not see any other option. But I'm wondering if its worth
> the effort. If you think its a good idea, just do it.
> Kind regards
> Debian-med-packaging mailing list