Re: limiting user access

To: Joey Hess <joey@kitenet.net>
Cc: debian-policy@lists.debian.org
Subject: Re: limiting user access
From: Anthony Towns <aj@azure.humbug.org.au>
Date: 13 Feb 1998 23:07:12 +1000
Message-id: <[🔎] 87sopnlkla.fsf_-_@azure.humbug.org.au>
In-reply-to: Joey Hess's message of Thu, 12 Feb 1998 23:24:07 -0800
References: <Pine.BSI.3.95.980212112059.23295N-100000@ns1.midco.net> <[🔎] 87oh0cjqa6.fsf@azure.humbug.org.au> <[🔎] 19980212232407.06097@kite>

Joey Hess <joey@kitenet.net> writes:
> Anthony Towns wrote:
> > [...] but at least a couple of packages use /var
> > for executable files, notably dpkg (/var/lib/dpkg/info/*), and the
> > distributed-net client (/var/lib/distributed-net/distributed-net).
> >
> > BTW, if /var was noexec, it remains possible to have something like
> > /var/lib/distributed-net/distributed-net -> /usr/bin/distributed-net,
> > and still be able to cd /var/lib/distributed-net; ./distributed-net,
>
> This is currently exactly how /var/lib/distributed-net/distributed-net is
> set up, so I don't know what you're worrying about.

As it turns out neither do I. Which is odd, because I did double check
this. Apologies for the blatant misinformation.

> /var/lib/dpkg/info/* is a stickier problem..

After thinking about this a little more, I think it might be best to
move /var/lib/dpkg/info to /usr/lib/dpkg/info.

One obvious possible problem with this is that that /usr can be (ought
to be able to be) mounted read-only, and having these files
unmodifiable could, theoretically cause problems. I don't think this
should be a problem though, because the only time those files should
be being changed is when an install or removal is happening -- which
is when /usr should be mounted read-write in any case.

I still have a lingering concern that /var -feels- better for these
files than /usr does, but I can think of technical reasons for one and
not for the other at the moment, so...

What other concerns would moving /var/lib/dpkg/info raise?

The other thing that's worth noting that almost all of these are
either scripts or text configfiles. On my system, there's exactly one
ELF binary -- libreadline2's postinst.

Another option might thus be to have a config file that specified an
interpretor to run over each of the package's preinst, postinst and
whatever scripts. Instead of just executing the preinst script, the
script would be piped to the interpretor, or something similar. This
gets by any noexec problems, but does limit our options, and
personally seems much less than elegant.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. PGP encrypted mail preferred.

      ``It's not a vision, or a fear. It's just a thought.''

Reply to:

Follow-Ups:
- Re: limiting user access
  - From: dark@xs4all.nl (Richard Braakman)

References:
- Re: limiting user access
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: limiting user access
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: `du' control files
Next by Date: Re: `du' control files
Previous by thread: Re: limiting user access
Next by thread: Re: limiting user access
Index(es):
- Date
- Thread