I'm closing this bug report after upstream explained the technical side.
Michael
----- Forwarded message from Jan Kara <[EMAIL PROTECTED]> -----
Date: Mon, 11 Jul 2005 15:44:18 +0200
From: Jan Kara <[EMAIL PROTECTED]>
To: Ognyan Kulev <[EMAIL PROTECTED]>
Cc: Michael Meskes <[EMAIL PROTECTED]>
Subject: Re: [EMAIL PROTECTED]: Bug#310027: quota: ability user to display own
quota]
Hi,
> ----- Forwarded message from Ognyan Kulev <[EMAIL PROTECTED]> -----
>
> From: Ognyan Kulev <[EMAIL PROTECTED]>
> To: Debian Bug Tracking System <[EMAIL PROTECTED]>
> Date: Sat, 21 May 2005 09:22:04 +0300
> Subject: Bug#310027: quota: ability user to display own quota
>
> Package: quota
> Version: 3.12-6
> Severity: wishlist
>
> Recommended practice is aquota.{user,group} to have access mode of 0600.
> This means that ordinary user can't display own quota with quota(1). A
> solution is to make quota(1) SUID and don't allow user or group argument
> when quota(1) is called by ordinary user.
>
> Am I missing something in my logic?
Yes. You're missing the fact that if quota is actually turned on (i.e.
it has some effect on a user), then any user can query his quota by an
appropriate syscall. quota(1) recognizes this and uses the syscall when
possible so there's no need to have SUID quota(1).
Honza
----- End forwarded message -----
--
Michael Meskes
Email: Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: [EMAIL PROTECTED]
Go SF 49ers! Go Rhein Fire! Use Debian GNU/Linux! Use PostgreSQL!
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
