Onward branch

Jan Dvorak jan.dvorak at sitronicsts.com
Mon Sep 15 00:17:04 PDT 2008


On Saturday 13 September 2008 03:38:16 Robert Connolly wrote:
> > fcron has to run with full set anyway, or not?
>
> Almost always no. crond only needs to do what you need it to do. If the
> only thing in root's crontab is to run /sbin/ldconfig, then almost all
> cababilities can be removed.

That's right, but the problem is you don't know beforehand. But you can 
change them while it's running, right? So I guess, it's fine.

> None of these daemons needs all the privileges of a root shell, like
> having write permission on every file.

I agree.

> Everything could be installed at user 'bin'. This doesn't stop files
> from being overwritten, but it's a step in the right direction.

It solves the security problem with root being able to overwrite them. If 
they are not root's and he does not have CAP_FOWNER.

> Installing as a package-installer-user, like the
> more_control_and_pkg_man hint does, makes it easy to identify all new
> files for backups or checksums (with find(1)), without any advance
> information about exactly what files will be installed.

Yeah, `find /` with file system spread all over your harddrive. Get me 
some SSDs for even SASes are too slow for this.

> If you're 
> creating a package, from scratch, this is the best system to use.

If you are creating a package, you just use DESTDIR, compare result with 
current file system state (using a simple script that does find(1) on 
like 30 files tops (with exceptions) and compares them to currently 
installed files) and when you are sure nothing will break, you just 
`cp -a` them in.

> The more_control_and_pkg_man.txt hint system is tedious, but it
> identifies every problem with filesystem permissions and packages, for
> us. It's a big helper.

Nope, it's totall overkill. You never ever run a program under a package 
user. The only reason for them is to install files safely, which can be 
done without polluting your passwd and group files and making all *nix 
people around scream with horror after looking at `ls -l` output.



More information about the hlfs-dev mailing list