ltib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ltib] World writable dirs in ltib

From: Svein Seldal
Subject: Re: [Ltib] World writable dirs in ltib
Date: Tue, 07 Jul 2009 21:33:07 +0200
User-agent: Thunderbird 2.0.0.22 (X11/20090608) 
Hi Stuart

Stuart Hughes wrote:
Please try to not to use emotive terms like: "awful", "to add insult to injury" etc as this is likely to cause offence which is not helpful. 

First of all let me apologize. I'm sorry for appearing insulting, it was
not my intention at all. I'll try to reduce my usage of emotive terms. I
do appreciate the efforts of this community and I don't intend to appear
ungrateful or arrogant. Let's please start over and continue the discussion gracefully.
As with all thing security is a balancing act between the absolute and preventing normal users conducting what they need to get on with.
Absolutely, I agree. However I do really dislike the usage of world writeable directories. I consider it a security weakness (me being a sysop). As proposed I believe there are better methods of giving users freedom and still maintain decent security. Some may consider this as unimportant details, but I don't.
We could of course do nothing and leave ltib as is and just leave it to each paranoid sysadmin (like me) to tighten the security. Personally don't like this approach, though. I believe that when ltib is asking for root access and uses this grant to create dirs with 777 permissions is stretching it a bit far.
If we do leave ltib as it is today, I think it's reasonable to warn the users about the 777 directories (in the Faq or similar), don't you agree? This way they can tighten the security if necessary. 


What event are you actually worried about occurring?
Well, general security on a multi-user build server is my biggest concern. 777 permissions and blanket sudo rpm access will be out of the question.
As previously mentioned, I have been looking into many internal details of ltib. The reason for this scrutiny was a combination of factors: carte blanche sudo rpm access, 777 directories and write access for ordinary users to /opt. All of my warning lights went on (as I understand other people has warned of this as well) and investigations were required. I've actually never had to do these kinds investigations on any other embedded packaging system before, so I think it fair to claim ltib is a bit special.
The reason LTIB allows these few directories to be globally writeable is because it needs to: 
  * Users on the same machine need to be able to download to
    the common pkgs cache
  * Users on the same machine need to be able to install updates
    to LTIB, which requires global write access to
    /opt/ltib/usr/src/rpm/* as build operations are not root.
My core point is that I propose a fix where you don't need 777 permissions on either of these directories.
The patch for rpm-fs*.rpm does not set the permissions for the two areas above to root (with 777). Instead it will use the owner of the build user for these directories. This ensures that the dirs will work when you're on a single user machine (which most are, I guess). For those of us on multiuser machines, the sysop would need to change the permissions accordingly.
Next the patch for ltib properly tests the access to pkg cache (by using access() instead of just looking at the file permissions). And it will not change the permissions in case of wrong access.
I'm not sure how you intend to share out LTIB on a common server, but that may not be a great idea if you use NFS etc as this is slow and permissions/locking problems show up. If you want to share your download area, your better off to set-up one of your download machines as a PPP server (http web server) and setup your .ltibrc files accordingly.
I plan on having each user check out LTIB files (as it is in savannah CVS) into their locations of own choosing.
However, since the server is common build server, it must use common controlled host software. Each user will not have write access to /opt/xxx, nor to the RPM database. This means that normal users will not be able to upgrade the host tools.
The common pkg cache (the lpp, right?) will be writeable though, but by using proper group permissions and not 777 permissions.
PS! I also would like to mention that I am not too fond of the sudo access scheme which ltib requires. I'm looking at it right now to see if there is anything that can be done to limit it's usage (as a help to the community, non assaulting). I'll post this in a later mail, and I hope it can useful. 


- Svein
reply via email to
[Prev in Thread] Current Thread [Next in Thread]