Hi folks,

Fedora has moved to having /var/lock (now /run/lock) owned by
root:lock 0775 rather than root:root 01777.  This has the advantage
of making a system directory writable only by root or setgid lock
programs, rather than the whole world.  However, due to the
potential for privilege escalation¹² it may be desirable to adopt
what has been done subsequently in Fedora:
  /var/lock          root:root 0755
  /var/lock/lockdev  root:lock 0775
  /var/lock/subsys   root:root 0755

This mail is to discuss these issues:

1) Addition of a "lock" group as a system group

   This is a trivial change but requires approval.

2) Alignment of /var/lock with Fedora

   This will require patching of lockdev (should already be in git).
   It would also require programs patching to use the new paths
   if not using lockdev.

Are these any other downsides we need to consider?  One issue is the
existence of badly broken programs³, which make stupid assumptions
about lockfiles.



  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply via email to