On Mon, Aug 15, 2011 at 04:11:49PM +0100, Roger Leigh wrote:
> Hi folks,
> Fedora has moved to having /var/lock (now /run/lock) owned by
> root:lock 0775 rather than root:root 01777.  This has the advantage
> of making a system directory writable only by root or setgid lock
> programs, rather than the whole world.  However, due to the
> potential for privilege escalation¹² it may be desirable to adopt
> what has been done subsequently in Fedora:
>   /var/lock          root:root 0755
>   /var/lock/lockdev  root:lock 0775
>   /var/lock/subsys   root:root 0755


If /var/lock won't be 1777 anymore, where should then applications store
application-specific lock files (e.g. synchronisation between daemons)
if they can't/won't run as setgid lock?

Is the intention that the init script creates a /var/lock/$NAME
directory, chgrp's it to the right GIDs and only then start the daemons?


Attachment: signature.asc
Description: Digital signature

Reply via email to