1 |
On 01/19/2018 07:16 PM, William Hubbs wrote: |
2 |
> |
3 |
> It looks like we can't use your --as suggestion if we want to be |
4 |
> able to create paths in /var/lib and /var/spool that are owned by |
5 |
> non-privileged users because of the permissions on those paths. It is |
6 |
> possible that service scripts are doing this. |
7 |
> |
8 |
|
9 |
Why not? Since /var/lib is root:root and mode 755, we can create |
10 |
/var/lib/foo while running --as=root (the default). Then afterwards, |
11 |
anything beneath /var/lib/foo would need to be created "--as" the owner |
12 |
of that directory. |
13 |
|
14 |
/var/lib or /var/spool should be no different than /run in that regard. |
15 |
|
16 |
(Although, the ebuild should be responsible for /var/lib and /var/spool) |
17 |
|
18 |
|
19 |
> Is it worth changing the algorithm to do this instead: |
20 |
> |
21 |
> 0. test for existance by opening a read-only file descriptor to this |
22 |
> file. |
23 |
> 1. Creating the file/directory/fifo. |
24 |
> a. If it doesn't exist, create it -- note that I'm not setting |
25 |
> permissions with the create call. |
26 |
> b. Open a read-only file descriptor that attaches to the newly created |
27 |
> file. |
28 |
> 2. Setting Permissions. |
29 |
> a. Fix the permissions of the file if necessary. |
30 |
> 3. setting ownership |
31 |
> a. Set the ownership if it doesn't match the specified ownership. |
32 |
|
33 |
Is this for checkpath? Steps (a) and (b) would need to happen at the |
34 |
same time. Is there a way to determine if a file descriptor is for a |
35 |
hard link? There are likely some small ways that we could still improve |
36 |
checkpath, but the main issue I'm trying to solve by jumping through all |
37 |
these hoops is the hard link race condition. |
38 |
|
39 |
|
40 |
>> Risk #2: Instead consider a four-component path /run/foo/bar/baz. If you |
41 |
>> start creating those directories with owner "foo", then when you get to |
42 |
>> creating "baz", it's possible that "bar" has been replaced by a symlink |
43 |
>> somewhere else. |
44 |
> |
45 |
> It is possible, sure, but the question I would ask is, could this also |
46 |
> be a legit situation where a user would want /run/foo/bar to be a |
47 |
> symlink to some other location? If it is, there's no way to tell the |
48 |
> difference. |
49 |
|
50 |
The init script author can use the real path instead of the one |
51 |
involving the symlink if he needs to. So maybe he wants /run/foo/bar to |
52 |
be a symlink to /herp/derp, but then instead of doing |
53 |
|
54 |
newpath /run/foo/bar/baz |
55 |
|
56 |
he could do |
57 |
|
58 |
newpath /herp/derp/baz |
59 |
|
60 |
and then there are no symlinks involved. |