Bernhard Weisshuhn wrote: > As I understand it, the local /etc/shorewall directory on the > administrative machine should not be used at all for the compilation.
Not so -- see below. > All that matters should the export directory for the host currently > compiled. Because of that, I figured there should not be much reason > to be root while compiling. (Deploying yes, but just preparing no, right?) Correct > > I must have misunderstood something or nobody tried this before: > > % id -u > 501 > % cd ~/svn/admin/shorewall/hosts/tim > % shorewall compile -e -C perl . firewall > /sbin/shorewall: line 134: /etc/shorewall/params: Permission denied > % shorewall version > 4.0.5 The non-priv user must have read access to /etc/shorewll/params and /etc/shorewall/shorewall.conf - /etc/shorewall/shorewall.conf contains the site-wide SHOREWALL_COMPILER directive and the default VERBOSITY settings. Both are needed by /sbin/shorewall. - /etc/shorewall/shorewall.conf can contain shell variable expansions; that requires that /etc/shorewall/params be processed before /etc/shorewall/shorewall.conf. ~/svn/admin/shorewall/hosts/tim/shorewall.conf should set the CONFIG_PATH in such a way that it omits /etc/shorewall/. That way, the compiler will not look in /etc/shorewall/ for any of the other files. The tarball installer and the RPM from shorewall.conf install both files with mode 0644. > > This is shorewall-4.0.5 with the perl compiler, both from the > shorewall rpm packages by Simon Matter. > > On a related note, I find installing /sbin/shorewall with permissions > 0700 questionable - given that the code is publicly available to anybody > through the web. Only makes it annoying for non-root users. These permission issues are particular to Simon's RPMs. The tarball installer and the RPM from shorewall.net both install /sbin/shorewall with mode 0755. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
