[packagers] File ownership!
Kjeldgaard Morten
mok at bioxray.dk
Mon Nov 6 21:08:26 CET 2006
> Since I don't think it¹matters and I don't think it is good practice
> either. It's very superficial really and people may somehow start to
> think it matters because it is being done. And if people think it
> matters
> where it doesn't that's where the trouble starts.
Thanks to Dag for setting me straight on this. Apparently my brain
has still not returned from our recent trip to the US. The stuff
about user "bin" ownership of files as a precaution against exploits
that I wrote is nonsense. Forget about it. An old Unix practice that
has long been abandoned. In fact, this is what CERT writes in their
"Unix security checklist":
<quote>
5.7 Bin ownership
Many systems ship files and directories owned by bin (or
sys). This
varies from system to system and may have serious security
implications.
* CHANGE all non-setuid files and all non-setgid files and
directories
that are world readable but not world or group writable and that are
owned by bin to ownership of root, with group id 0 (wheel group under
SunOS 4.1.x).
</quote>
I will impose a moratorium for my posting on the list until my brain
arrives -- I also lost my suitcase on the way back, but at least it
came the next day. Bummer.
-- Morten
More information about the packagers
mailing list