Nicolas François wrote: > Justin B Rye wrote: >> [...] >> Or preferably something more like this: >> ---------------------------------------------------------------------- >> #!/bin/sh >> cd /var/backups || exit 0 >> for FILE in passwd group shadow gshadow; do >> test -f /etc/$FILE || continue >> cmp -s $FILE.bak /etc/$FILE && continue >> install --preserve-context -pm 0600 /etc/$FILE $FILE.bak >> done >> ---------------------------------------------------------------------- > > Is there a reason you changed cp + chmod to install --preserve-context ? > > The --preserve-context causes warnings (which would be sent daily) on > non-SELinux machines.
Oh, sorry! I'm even using a non-SELinux kernel right now - so that tells me which machine I must have been on when I did my testing. Okay, scratch that "--preserve-context". Usually I'd go for the "install -pm 0600" approach because it has the advantage of not leaving the permissions wrong for a moment; but in this case, that only means there's a window of opportunity for members of the shadow group to read data they could already see in the original file... In fact it's not quite clear to me why the permissions would _need_ to be tightened up. Using the same install command on all these files also loses the opportunity to preserve the shadow group-ownership on /etc/*shadow. But then again if you're stripping the group-readable bit why would you _want_ to preserve the group-ownership? Anyway, as I say, the whole point of this bugreport was that the Shadow Cabal would know best what's appropriate here... -- JBR Ankh kak! (Ancient Egyptian blessing) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
