NetBSD Problem Report #15461

Received: (qmail 16564 invoked from network); 2 Feb 2002 12:45:46 -0000
Message-Id: <200202021245.g12Cjor16191@steinba.ch>
Date: Sat, 2 Feb 2002 13:45:50 +0100 (CET)
From: Ingolf Steinbach <ingolf@steinba.ch>
Reply-To: Ingolf Steinbach <ingolf@steinba.ch>
To: gnats-bugs@gnats.netbsd.org
Subject: /var/spool/lock: inconvenient permissions
X-Send-Pr-Version: 3.95

>Number:         15461
>Category:       install
>Synopsis:       /var/spool/lock has inconvenient permissions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    install-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 02 12:46:00 +0000 2002
>Closed-Date:    
>Last-Modified:  Mon Feb 04 19:34:01 +0000 2002
>Originator:     Ingolf Steinbach
>Release:        NetBSD 1.5.3_ALPHA
>Organization:
none
>Environment:
System: NetBSD helios 1.5.3_ALPHA NetBSD 1.5.3_ALPHA (HELIOS) #0: Sat Jan 26 19:29:23 CET 2002 ingolf@helios:/usr/obj/sys/arch/i386/compile/HELIOS i386
Architecture: i386
Machine: i386
>Description:
	The /var/spool/lock directory is installed with write permissions
	for user uucp only (mode 0755, owner uucp:daemon). As there are not
	only uucp related directories in /var/spool, other daemons (e.g. a
	news or ftp daemon) should be able to acquire locks in this
	directory, too.

	Better permissions would be mode 0775 and maybe owner daemon:daemon.
>How-To-Repeat:
	Try to acquire a lock in /var/spool/lock as user news.
>Fix:
	Apply the following patch
Index: etc/mtree/NetBSD.dist
===================================================================
RCS file: /cvsroot/basesrc/etc/mtree/NetBSD.dist,v
retrieving revision 1.110.2.10
diff -u -r1.110.2.10 NetBSD.dist
--- NetBSD.dist	2001/05/09 22:29:46	1.110.2.10
+++ NetBSD.dist	2002/02/02 12:43:26
@@ -2218,7 +2218,7 @@
 ..

 # ./var/spool/lock
-lock		uname=uucp gname=daemon
+lock		uname=daemon gname=daemon mode=0775
 # ./var/spool/lock
 ..

>Release-Note:
>Audit-Trail:

From: David Laight <david@l8s.co.uk>
To: "current-users@netbsd.org" <current-users@netbsd.org>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: Sat, 02 Feb 2002 14:42:56 +0000

 Ingolf Steinbach wrote:
 > 
 > >Number:         15461
 > >Category:       install
 > >Synopsis:       /var/spool/lock has inconvenient permissions
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    install-manager
 > >State:          open
 > >Class:          change-request
 > >Submitter-Id:   net
 > >Arrival-Date:   Sat Feb 02 04:46:00 PST 2002
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Ingolf Steinbach
 > >Release:        NetBSD 1.5.3_ALPHA
 > >Organization:
 > none

 >         The /var/spool/lock directory is installed with write permissions
 >         for user uucp only (mode 0755, owner uucp:daemon). As there are
 >         not only uucp related directories in /var/spool, other daemons
 >         (e.g. a news or ftp daemon) should be able to acquire locks in
 >         this directory, too.
 > 
 >         Better permissions would be mode 0775 and maybe owner
 >         daemon:daemon.

 Why not 1777 - so that the (lock) files can only be deleted by the
 owning user?

 	David

From: "Perry E. Metzger" <perry@wasabisystems.com>
To: David Laight <david@l8s.co.uk>
Cc: "current-users@netbsd.org" <current-users@netbsd.org>,
	gnats-bugs@gnats.netbsd.org
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: 02 Feb 2002 21:36:27 -0500

 David Laight <david@l8s.co.uk> writes:
 > Why not 1777 - so that the (lock) files can only be deleted by the
 > owning user?

 To prevent DoS attacks by randoms among other things. Normal users
 should not be able to just claim locks on everything -- only
 privileged programs should be allowed to do that.

 --
 Perry E. Metzger		perry@wasabisystems.com
 --
 NetBSD Development, Support & CDs. http://www.wasabisystems.com/

From: David Laight <david@l8s.co.uk>
To: Cc: "current-users@netbsd.org" <current-users@netbsd.org>,
 	gnats-bugs@gnats.netbsd.org
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: Mon, 04 Feb 2002 10:27:01 +0000

 "Perry E. Metzger" wrote:
 >
 > > Why not 1777 - so that the (lock) files can only be deleted by the
 > > owning user?
 > 
 > To prevent DoS attacks by randoms among other things. Normal users
 > should not be able to just claim locks on everything -- only
 > privileged programs should be allowed to do that.

 ok, maybe 1070, maybe one of the (horrid) layered directories (as needed
 by one of the'secure unix' definitions. B2?) where each user sees a
 different set of files in the same (apparrant) physical directory - but
 maybe not, was always too hard to find out what had really happened!

 	David

From: Ingolf Steinbach <ingolf@steinba.ch>
To: David Laight <david@l8s.co.uk>, gnats-bugs@netbsd.org,
   current-users@netbsd.org
Cc:  
Subject: Re: install/15461: /var/spool/lock: inconvenient permissions
Date: Mon, 04 Feb 2002 20:33:02 +0100

 So let's use 1775 (or 1770) so that "user" daemon can write in
 this directory, too.

     Ingolf
>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.