On Tue, Mar 21, 2000 at 10:07:18PM -0500, S. Salman Ahmed wrote: > The only way around the problem for non-root users was to create a new > group (javauser), chgrp -R javauser /usr/local/uml/Together, and then > add myself to that group javauser. The permissions before this fix were > sth like:
this seems broken to me > @phoenix:[/usr/local/uml/Together] dir > total 19076 > drwxr-sr-x 13 root staff 1024 Mar 21 21:20 ./ > drwxrwsrwx 3 root staff 1024 Mar 21 21:19 ../ > drwxrwxr-x 6 1002 staff 1024 Mar 21 21:44 bin/ > -rw-rw-r-- 1 1002 staff 5 Mar 12 13:29 buildnum.txt > drwxrwx--x 2 1002 staff 1024 Mar 21 21:28 config/ > drwxr-xr-x 6 1002 staff 1024 Mar 12 13:27 doc/ > drwxrwxr-x 7 1002 staff 1024 Mar 12 13:28 help/ > drwxr-xr-x 6 1002 staff 1024 Mar 12 13:29 lib/ > drwxrwxr-x 2 1002 staff 1024 Mar 12 13:29 license/ > drwxr-xr-x 4 1002 staff 1024 Mar 12 13:28 modules/ > drwxrwxr-x 2 1002 staff 1024 Mar 12 13:29 myprojects/ > drwxrwxr-x 2 1002 staff 1024 Mar 12 13:27 out/ > -rw-rw-r-- 1 1002 staff 17934 Mar 12 13:29 readme.html > drwxr-xr-x 3 1002 staff 1024 Mar 12 13:28 samples/ > drwxrwxr-x 2 1002 staff 1024 Mar 12 13:29 source/ these files should have a real owner. > Which, finally, leads to my question: what should the correct > permissions be of an application/software installed in /usr/local ? owned by root.root writable by only the owner, ie exectables should be mode 0755 (-rwxr-xr-x) directorys should be the same, ordinary non-execuable files should be owned by root.root mode -644 (-rw-r--r--) > For instance, I have noticed that the directory in which I have > installed netscape-4.72 (from tarball) has some weird permissions: chown -R root.root netscape/ && chmod 755 netscape > @phoenix:[/usr/local] dir netscape/ > total 24578 > drwxr-sr-x 8 root staff 1024 Feb 26 17:23 ./ > drwxrwsr-x 15 root staff 1024 Mar 20 21:57 ../ > -r--r--r-- 1 5115 uucp 16154 Jan 31 09:09 LICENSE > -r--r--r-- 1 5115 uucp 323399 Jan 31 09:08 Netscape.ad > -r--r--r-- 1 5115 uucp 16215 Jan 31 09:09 README > -r--r--r-- 1 5115 uucp 4674 Oct 18 1994 XKeysymDB > -r--r--r-- 1 5115 uucp 11357 Jan 31 09:11 bookmark.htm > drwxr-xr-x 3 5115 uucp 1024 Jan 31 09:11 java/ <snip> > > This Together/J is a strange application in that it seems to be writing > to dirs/files in the directory in which it is installed, but for other this is *BROKEN* nothing should EVER be writing to its program files or the directories its installed in, where did you get this program? it sounds like it was written for win* or macos. > applications that don't do this, what should the group and owner be for > maximum security ? debian by default installs all directories under /usr/local/ root.staff mode 2775, personally i think this is bogus, no non-root user should be able to mess with stuff there, it just opens up all kinds of ugly trojaning scenerios. so i recommend following the /usr/* permission model which is owner: root group: root umask 022 (executables and directories 0755, regular files 0644) any program that refuses to function in this environment is completely broken and IMO deserves nothing less then a visit from Mr. rm -rf. if you have such a program it is completely unsuitable for multiuser use and you might as well have any user who wants to use the prgram install it under there home directory in ~/usr/bin or ~/bin. if you want to follow the debian style for /usr/local then everything should be owned by root.staff, and possibly mode 0775, and be VERY picky about who is in group staff. I reccomend against this however. if you are a member of group staff, and you run some program that does nasty things, it has a whole mess of software in /usr/local it can trojan. not just for you but for every user on the system. -- Ethan Benson http://www.alaska.net/~erbenson/
