[Kolab-devel] [PATCH] better modes

Thomas Arendsen Hein thomas at intevation.de
Thu Jun 17 13:03:25 CEST 2010 

* Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com> [20100613 13:03]:
> Thomas Arendsen Hein wrote:
> > > Quoting "Jeroen van Meeuwen (Kolab Systems)" <vanmeeuwen at kolabsys.com>:
> > >> 1) Installing a file chmod 444 prevents build processes from changing any
> > >> ownership attributes and modes
> > 
> > And I am still unsure about that.
> > 
> > I do not understand "444 prevents build processes from changing any
> > ownership attributes and modes". What exactly does not work?
> 
> The following does not work, which is what the make install process attempts 
> to do:
> 
> $ touch something
> $ chmod 444 something
> $ chown apache something 
> chown: changing ownership of `something': Operation not permitted
> 
> Since the build process runs under user permissions, the build fails.

from chmod(2):
| Only a privileged process (Linux: one with the CAP_CHOWN capability)
| may change the owner of a file.  The owner of a file may change the
| group of the file to any group of which that owner is a member.  A
| privileged process (Linux: with CAP_CHOWN) may change the group
| arbitrarily.

Additionally, as a non-root user I can change the group of a
read-only file to any other group I belong to.

In other words: If mode 444 affects the usage of chown on your
system, this is something special to your system, so you should tell
us what it is.

> RPM allows for changing the exact permissions to ship the file with in the 
> %files section, so it is still possible to have the file end up in mode 444 on 
> the system.
> 
> Having said that, if the file is not supposed to be edited by any user, then 
> the file should probably live in /var/lib/ (and not in /etc/) as some kind of 
> state-full, transactional, generated, runtime configuration data file.

I think we can drop 444 as soon as it lives outside (/kolab)/etc,
but as long as it is here, mode 444 gives a good hint that you
should not edit the file directly.

Regards,
Thomas Arendsen Hein

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the devel mailing list