[Ddclient-forum] [ ddclient-Bugs-1328268 ] should not clobber permissions
Brought to you by:
supersandro2000,
wimpunk
Menu
▾
▴
[Ddclient-forum] [ ddclient-Bugs-1328268 ] should not clobber permissions
|
From: SourceForge.net <no...@so...> - 2007-10-17 20:49:28
|
Bugs item #1328268, was opened at 2005-10-17 00:50 Message generated for change (Comment added) made by wimpunk You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=676128&aid=1328268&group_id=116817 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed Resolution: None Priority: 5 Private: No Submitted By: Mikel Ward (mwardle) Assigned to: wimpunk (wimpunk) Summary: should not clobber permissions Initial Comment: My ddclient conf was set up with user and group read and write permissions rw-rw---- root root I did this since there are multiple administrators on my system, and using groups seems like a more workable approach than giving all administrators sudo access. When I invoked ddclient I was told that the file must be accessible only by its owner, then it changed the permissions on the file. To issue a warning is one thing, but to clobber the permissions I gave it seems rude. This permissions clobbering will also affect users of access control lists (ACLs), since the group permissions will mask any permissions except those of the owner. Why does ddclient enforce no group or other access? Of course the file probably contains clear text passwords for the dynamic DNS service, but if I choose to allow certain people to read and modify the configuration file, ddclient should respect that. ---------------------------------------------------------------------- >Comment By: wimpunk (wimpunk) Date: 2007-10-17 20:49 Message: Logged In: YES user_id=722282 Originator: NO this is a warning since a while ago. we forgot to close this report. ---------------------------------------------------------------------- Comment By: wimpunk (wimpunk) Date: 2006-01-23 07:45 Message: Logged In: YES user_id=722282 I'll look at this part of the code after reading the software recommandations of LSB. ---------------------------------------------------------------------- Comment By: Arun (arunarunarun) Date: 2006-01-19 20:05 Message: Logged In: YES user_id=44265 Michael Smith has a cleaner patch up on http://bugs.gentoo.org/show_bug.cgi?id=117124 . The idea is that ddclient shouldn't be modifying permissions on the config file. Issuing a warning should suffice, since then the choice is left to the user. ---------------------------------------------------------------------- Comment By: Arun (arunarunarun) Date: 2006-01-19 04:16 Message: Logged In: YES user_id=44265 Michael, could you please assign this to wimpunk? ---------------------------------------------------------------------- Comment By: Arun (arunarunarun) Date: 2005-12-10 05:40 Message: Logged In: YES user_id=44265 Simple fix for this: --- ddclient.old 2005-12-03 11:53:49.000000000 +0530 +++ ddclient 2005-12-03 11:54:51.000000000 +0530 @@ -755,12 +755,7 @@ # Check for only owner has any access to config file my ($dev, $ino, $mode, @statrest) = stat(FD); if ($mode & 077) { - if (-f FD && (chmod 0600, $file)) { - warning("file $file must be accessible only by its owner (fixed).");- } else { - # fatal("file $file must be accessible only by its owner."); - warning("file $file must be accessible only by its owner."); - } + warning("file $file must be accessible only by its owner."); } local $lineno = 0; ---------------------------------------------------------------------- Comment By: Arun (arunarunarun) Date: 2005-12-04 05:30 Message: Logged In: YES user_id=44265 I second this - in Gentoo Linux, we run ddclient as user ddclient (group ddclient). The config file belongs to root:ddclient, and permissions are 640. Clobbering the permissions breaks this setup (which is a bit more secure than running ddclient as root). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=676128&aid=1328268&group_id=116817 |
