Re: What r the correct perms for SW in /usr/local ?
On Tue, Mar 21, 2000 at 10:07:18PM -0500, S. Salman Ahmed wrote:
> The only way around the problem for non-root users was to create a new
> group (javauser), chgrp -R javauser /usr/local/uml/Together, and then
> add myself to that group javauser. The permissions before this fix were
> sth like:
this seems broken to me
> @phoenix:[/usr/local/uml/Together] dir
> total 19076
> drwxr-sr-x 13 root staff 1024 Mar 21 21:20 ./
> drwxrwsrwx 3 root staff 1024 Mar 21 21:19 ../
> drwxrwxr-x 6 1002 staff 1024 Mar 21 21:44 bin/
> -rw-rw-r-- 1 1002 staff 5 Mar 12 13:29 buildnum.txt
> drwxrwx--x 2 1002 staff 1024 Mar 21 21:28 config/
> drwxr-xr-x 6 1002 staff 1024 Mar 12 13:27 doc/
> drwxrwxr-x 7 1002 staff 1024 Mar 12 13:28 help/
> drwxr-xr-x 6 1002 staff 1024 Mar 12 13:29 lib/
> drwxrwxr-x 2 1002 staff 1024 Mar 12 13:29 license/
> drwxr-xr-x 4 1002 staff 1024 Mar 12 13:28 modules/
> drwxrwxr-x 2 1002 staff 1024 Mar 12 13:29 myprojects/
> drwxrwxr-x 2 1002 staff 1024 Mar 12 13:27 out/
> -rw-rw-r-- 1 1002 staff 17934 Mar 12 13:29 readme.html
> drwxr-xr-x 3 1002 staff 1024 Mar 12 13:28 samples/
> drwxrwxr-x 2 1002 staff 1024 Mar 12 13:29 source/
these files should have a real owner.
> Which, finally, leads to my question: what should the correct
> permissions be of an application/software installed in /usr/local ?
owned by root.root writable by only the owner, ie exectables should be
mode 0755 (-rwxr-xr-x) directorys should be the same, ordinary
non-execuable files should be owned by root.root mode -644 (-rw-r--r--)
> For instance, I have noticed that the directory in which I have
> installed netscape-4.72 (from tarball) has some weird permissions:
chown -R root.root netscape/ && chmod 755 netscape
> @phoenix:[/usr/local] dir netscape/
> total 24578
> drwxr-sr-x 8 root staff 1024 Feb 26 17:23 ./
> drwxrwsr-x 15 root staff 1024 Mar 20 21:57 ../
> -r--r--r-- 1 5115 uucp 16154 Jan 31 09:09 LICENSE
> -r--r--r-- 1 5115 uucp 323399 Jan 31 09:08 Netscape.ad
> -r--r--r-- 1 5115 uucp 16215 Jan 31 09:09 README
> -r--r--r-- 1 5115 uucp 4674 Oct 18 1994 XKeysymDB
> -r--r--r-- 1 5115 uucp 11357 Jan 31 09:11 bookmark.htm
> drwxr-xr-x 3 5115 uucp 1024 Jan 31 09:11 java/
<snip>
>
> This Together/J is a strange application in that it seems to be writing
> to dirs/files in the directory in which it is installed, but for other
this is *BROKEN* nothing should EVER be writing to its program files
or the directories its installed in, where did you get this program?
it sounds like it was written for win* or macos.
> applications that don't do this, what should the group and owner be for
> maximum security ?
debian by default installs all directories under /usr/local/
root.staff mode 2775, personally i think this is bogus, no non-root
user should be able to mess with stuff there, it just opens up all
kinds of ugly trojaning scenerios.
so i recommend following the /usr/* permission model which is
owner: root
group: root
umask 022 (executables and directories 0755, regular files 0644)
any program that refuses to function in this environment is completely
broken and IMO deserves nothing less then a visit from Mr. rm -rf.
if you have such a program it is completely unsuitable for multiuser
use and you might as well have any user who wants to use the prgram
install it under there home directory in ~/usr/bin or ~/bin.
if you want to follow the debian style for /usr/local then everything
should be owned by root.staff, and possibly mode 0775, and be VERY
picky about who is in group staff. I reccomend against this however.
if you are a member of group staff, and you run some program that does
nasty things, it has a whole mess of software in /usr/local it can
trojan. not just for you but for every user on the system.
--
Ethan Benson
http://www.alaska.net/~erbenson/
Reply to: