NetBSD Problem Report #15461
Received: (qmail 16564 invoked from network); 2 Feb 2002 12:45:46 -0000
Message-Id: <200202021245.g12Cjor16191@steinba.ch>
Date: Sat, 2 Feb 2002 13:45:50 +0100 (CET)
From: Ingolf Steinbach <ingolf@steinba.ch>
Reply-To: Ingolf Steinbach <ingolf@steinba.ch>
To: gnats-bugs@gnats.netbsd.org
Subject: /var/spool/lock: inconvenient permissions
X-Send-Pr-Version: 3.95
>Number: 15461
>Category: install
>Synopsis: /var/spool/lock has inconvenient permissions
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: install-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Feb 02 12:46:00 +0000 2002
>Closed-Date:
>Last-Modified: Mon Feb 04 19:34:01 +0000 2002
>Originator: Ingolf Steinbach
>Release: NetBSD 1.5.3_ALPHA
>Organization:
none
>Environment:
System: NetBSD helios 1.5.3_ALPHA NetBSD 1.5.3_ALPHA (HELIOS) #0: Sat Jan 26 19:29:23 CET 2002 ingolf@helios:/usr/obj/sys/arch/i386/compile/HELIOS i386
Architecture: i386
Machine: i386
>Description:
The /var/spool/lock directory is installed with write permissions
for user uucp only (mode 0755, owner uucp:daemon). As there are not
only uucp related directories in /var/spool, other daemons (e.g. a
news or ftp daemon) should be able to acquire locks in this
directory, too.
Better permissions would be mode 0775 and maybe owner daemon:daemon.
>How-To-Repeat:
Try to acquire a lock in /var/spool/lock as user news.
>Fix:
Apply the following patch
Index: etc/mtree/NetBSD.dist
===================================================================
RCS file: /cvsroot/basesrc/etc/mtree/NetBSD.dist,v
retrieving revision 1.110.2.10
diff -u -r1.110.2.10 NetBSD.dist
--- NetBSD.dist 2001/05/09 22:29:46 1.110.2.10
+++ NetBSD.dist 2002/02/02 12:43:26
@@ -2218,7 +2218,7 @@
..
# ./var/spool/lock
-lock uname=uucp gname=daemon
+lock uname=daemon gname=daemon mode=0775
# ./var/spool/lock
..
>Release-Note:
>Audit-Trail:
From: David Laight <david@l8s.co.uk>
To: "current-users@netbsd.org" <current-users@netbsd.org>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: Sat, 02 Feb 2002 14:42:56 +0000
Ingolf Steinbach wrote:
>
> >Number: 15461
> >Category: install
> >Synopsis: /var/spool/lock has inconvenient permissions
> >Confidential: no
> >Severity: non-critical
> >Priority: low
> >Responsible: install-manager
> >State: open
> >Class: change-request
> >Submitter-Id: net
> >Arrival-Date: Sat Feb 02 04:46:00 PST 2002
> >Closed-Date:
> >Last-Modified:
> >Originator: Ingolf Steinbach
> >Release: NetBSD 1.5.3_ALPHA
> >Organization:
> none
> The /var/spool/lock directory is installed with write permissions
> for user uucp only (mode 0755, owner uucp:daemon). As there are
> not only uucp related directories in /var/spool, other daemons
> (e.g. a news or ftp daemon) should be able to acquire locks in
> this directory, too.
>
> Better permissions would be mode 0775 and maybe owner
> daemon:daemon.
Why not 1777 - so that the (lock) files can only be deleted by the
owning user?
David
From: "Perry E. Metzger" <perry@wasabisystems.com>
To: David Laight <david@l8s.co.uk>
Cc: "current-users@netbsd.org" <current-users@netbsd.org>,
gnats-bugs@gnats.netbsd.org
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: 02 Feb 2002 21:36:27 -0500
David Laight <david@l8s.co.uk> writes:
> Why not 1777 - so that the (lock) files can only be deleted by the
> owning user?
To prevent DoS attacks by randoms among other things. Normal users
should not be able to just claim locks on everything -- only
privileged programs should be allowed to do that.
--
Perry E. Metzger perry@wasabisystems.com
--
NetBSD Development, Support & CDs. http://www.wasabisystems.com/
From: David Laight <david@l8s.co.uk>
To: Cc: "current-users@netbsd.org" <current-users@netbsd.org>,
gnats-bugs@gnats.netbsd.org
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: Mon, 04 Feb 2002 10:27:01 +0000
"Perry E. Metzger" wrote:
>
> > Why not 1777 - so that the (lock) files can only be deleted by the
> > owning user?
>
> To prevent DoS attacks by randoms among other things. Normal users
> should not be able to just claim locks on everything -- only
> privileged programs should be allowed to do that.
ok, maybe 1070, maybe one of the (horrid) layered directories (as needed
by one of the'secure unix' definitions. B2?) where each user sees a
different set of files in the same (apparrant) physical directory - but
maybe not, was always too hard to find out what had really happened!
David
From: Ingolf Steinbach <ingolf@steinba.ch>
To: David Laight <david@l8s.co.uk>, gnats-bugs@netbsd.org,
current-users@netbsd.org
Cc:
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: Mon, 04 Feb 2002 20:33:02 +0100
So let's use 1775 (or 1770) so that "user" daemon can write in
this directory, too.
Ingolf
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.