Jim Li wrote: > Darren J Moffat ??: >> Jim Li wrote: >>> Darren J Moffat wrote: >>>>>> So what is the ownership and permissions of >>>>>> /var/lib/slocate/slocate.db >>>>>> >>>>> The ownership is root, group is other and permissions is 744 >>>> >>>> The above check is completely useless given that that database is >>>> publically readable. Also it should't be rwx for owner it doesn't >>>> get executed it should be rw-. >>>> >>>> This is why slocate is normally installed SUID or SGID so that the >>>> database can be installed like one of the following: >>>> root root 600 >>>> root slocate 640 >>> Understood. Which way is better, SUID(root root 600) or root slocate >>> 640? >> >> root:slocate 640 >> > Do you think root:root 600 is aslo acceptable?
No because that means slocate is then setuid to root, or it needs to run at least with file_dac_read which is IMO far too powerful given that isn't how it is usually deployed. > Because there are no preinstall or postinstall scripts in IPS, so there > is no way to create a group when adding a package and delete this group > when removing the package. I thought IPS did have a way to create users and groups. Either way this case talks about SVR4 packages not IPS and this case has to integrate via an SVR4 process not directly to IPS. -- Darren J Moffat