CRUX

Welcome to CRUX bug tracking.
Tasklist

FS#63 - Directory permissions are ignored

Attached to Project: CRUX
Opened by Mark Rosenstand (mark) - Saturday, 29 April 2006, 18:22 GMT
Task Type Bug Report
Category tools → pkgutils
Status Unconfirmed
Assigned To No-one
Operating System CRUX
Severity Low
Priority Normal
Reported Version Development
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

If a package contains a directory with permissions different from an existing directory, the permissions are changed when the package is installed. But when the package is removed, the new permissions persist.

Obviously keeping track of directory permissions would require massive changes and complicate the code. So in order to keep it simple, I think the right approach is to detect such differences as conflicts at install time, since it will permanently affect the system and it\'s likely that the change isn\'t on purpose.
This task depends upon

Comment by Mark Rosenstand (mark) - Saturday, 29 April 2006, 18:24 GMT
I\'d appreciate if someone would bump up the severity on this issue - it\'s the only serious flaw in pkgutils that I know of.
Comment by Nick Steeves (sten) - Monday, 10 July 2006, 12:52 GMT
This sounds a lot like the symptoms of a bad port. Changes to directory permissions should be noted in a README, or place in a post-install script, yes? IMHO, the detection should occur before the port is published (I have a kludgy routine for this as part of my htup script). Do you know of any ports in opt that change the permissions of directories installed by core? (core seems like it should be pretty much sovereign, as far as directory permissions go). If the problem is that packages clobber your personally-defined permissions, then perhaps you might be interested in cfengine. I haven\'t looked into cfengine much at all, but I understand that it is a really cool tool for maintaining a consistent system. (for example, you could have it run once a day to check and restore any directory permissions you would otherwise have to manually change, have it edit misc files, have it create misc files, etc.) Cfengine is another one of those projects that I thought might be neat to port to CRUX, but just haven\'t had the time to work on, and the way things are looking, probably never will...
Comment by Johannes Winkelmann (jw) - Wednesday, 12 July 2006, 07:17 GMT
As noted in the related ML thread, there are a number of issues introduced by making permission changes a conflict, mainly two groups:

- a port changing one of its binaries to be suid root (or not suid root
anymore), or any other mode change

- a port (e.g. a daemon) changing to be run as nobody from root, thus
requiring its data file to be owned by nobody:nobody

- same problem: a port starting to use a particular group (think: video,
audio etc.) which previously used \'root\'

- human errors where a directory wasn\'t writable or a file not
executable, and fixed by the maintainer by changing a mode/ownership
of some files or directories

That\'s not to say that the feature shouldn\'t be added at all, but maybe we can find a different approach which doesn\'t have these annoyances
Comment by Mark Rosenstand (mark) - Thursday, 31 August 2006, 12:53 GMT
I was sort of thinking about permission changes for directories, e.g. /usr/bin, since that\'s the only type of \"package object\" that is currently shared between packages. Obviously the package should be allowed to change the permissions of its *own* files as much as it wishes to.

An example of one port that used to change directory permissions, there was vsftpd which would chown /var/ftp to root:root since the \'filesystem\' package had the same directory owned by ftp:ftp (IIRC)
Comment by Mark Rosenstand (mark) - Thursday, 31 August 2006, 13:01 GMT
Note that this change was intentional since vsftpd refuses to start with a ftp root which is writable by itself (\'ftp\'), but since it does change the system even after the package is removed, I think sysadmin intervention is reasonable.

Loading...