Re: RFS: task-spooler
On Tue, Aug 04, 2009 at 09:52:23AM -0500, Boyd Stephen Smith Jr. wrote:
> In <20090804100620.GA8545@shurick.s2s.msu.ru>, Alexander Inyukhin wrote:
> >Socket permissions are controlled by umask, but if security
> >matters, a more sophisticated way of managing sockets should be used.
> >Since task-spooler is intented for use in single user environment,
> >I do not think this is a serious issue.
>
> Unfortunately, Debian is not limited to use as a single-user environment so
> you may need to revisit the security implications. At the very least, you
> may want to warn the administrator that it is not suitable for multi-user
> environments.
>
> Any reason task-spooler can't secure it's sockets the same way ssh-agent
> and/or gpg-agent secure theirs?
Actually, it can. It is just not the default behavior.
User may override socket location via environment variables TMPDIR or TS_SOCKET.
As with gpg-agent, this requires additional setup.
Creating socket with predefined name in user's home directory seems to be
a better choice. Is there any policy rules about socket naming?
Reply to: