Re: RFS: task-spooler

[Alexander Inyukhin <shurick@sectorb.msk.ru>]

On Tue, Aug 04, 2009 at 09:52:23AM -0500, Boyd Stephen Smith Jr. wrote:
> In <20090804100620.GA8545@shurick.s2s.msu.ru>, Alexander Inyukhin wrote:
> >Socket permissions are controlled by umask, but if security
> >matters, a more sophisticated way of managing sockets should be used.
> >Since task-spooler is intented for use in single user environment,
> >I do not think this is a serious issue.
> 
> Unfortunately, Debian is not limited to use as a single-user environment so 
> you may need to revisit the security implications.  At the very least, you 
> may want to warn the administrator that it is not suitable for multi-user 
> environments.
> 
> Any reason task-spooler can't secure it's sockets the same way ssh-agent 
> and/or gpg-agent secure theirs?

Actually, it can. It is just not the default behavior.
User may override socket location via environment variables TMPDIR or TS_SOCKET.
As with gpg-agent, this requires additional setup.

Creating socket with predefined name in user's home directory seems to be
a better choice. Is there any policy rules about socket naming?