[rrd-developers] Bug#606844: rrdcached: default UNIX socket permision should be changed.
Sebastian Harl
tokkee at debian.org
Fri Apr 25 21:11:27 CEST 2014
forwarded 606844 rrd-developers at lists.oetiker.ch
thanks
Hi,
On Sun, Dec 12, 2010 at 11:14:58AM +0100, Witold Baryluk wrote:
> Strange, but
> when I start rrdcached with default debian options, i have
>
> # ls -l /var/run/rrdcached.sock -l
> srwxr-xr-x 1 root root 0 12-12 10:51 /var/run/rrdcached.sock
> #
>
> but when I add "-s adm" at th begining of options, i have
>
> # ls -l /var/run/rrdcached.sock -l
> srwxrw---- 1 root adm 0 12-12 10:52 /var/run/rrdcached.sock
> #
>
> Shouldn't socket also in default mode also use 760 or 770 ?
> Isn't default mode somehow unsecure *755" !?
Yeah, this should be more consistent. Anyway, a few things to note:
- changing the behavior would be a backward incompatible change
- some operating systems don't care about file permissions of a UNIX
socket (however, Linux does take them into account)
- I'm not sure what the best behavior would be; I don't consider 755
insecure for most use-cases, so that could still be a good default
Anyway, once a solution has been agreed upon, a fix will be easy.
Currently, rrdcached calls chmod only if -s was specified on the command
line:
chmod(path, (S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IWGRP)
That is, by default, you get permissions based on your umask and 770
else.
Forwarding this upstream for further input.
Cheers,
Sebastian
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20140425/4aa793df/attachment.pgp
More information about the rrd-developers
mailing list