[Kolab-devel] [PATCH] better modes

[Jeroen van Meeuwen (Kolab Systems)]

Thomas Arendsen Hein wrote:
> * Gunnar Wrobel <wrobel at pardus.de> [20100603 15:50]:
> > Quoting "Jeroen van Meeuwen (Kolab Systems)" <vanmeeuwen at kolabsys.com>:
> >
> >> Attached is a patch to apply to kolabd/kolabd/Makefile.am.
> >>
> >> 1) Installing a file chmod 444 prevents build processes from changing any
> >> ownership attributes and modes
> >>
> >> 2) If you can read it, you can execute it.
> >
> > Thanks! Commited to CVS.
> >
> > Concerning kolab.globals I'm not 100% certain everyone agrees to the  
> > change. It has been added by Richard Bos not too long ago (which is why I 
> > added him on cc). In principle you should never really change  
> > kolab.globals and mode 444 was intended to indicate that. The file is  
> > specific to your distribution and there are usually no reasons to modify 
> > it.
> 
> And I am still unsure about that.
> 
> I do not understand "444 prevents build processes from changing any
> ownership attributes and modes". What exactly does not work?
> 

The following does not work, which is what the make install process attempts 
to do:

$ touch something
$ chmod 444 something
$ chown apache something 
chown: changing ownership of `something': Operation not permitted

Since the build process runs under user permissions, the build fails.

RPM allows for changing the exact permissions to ship the file with in the 
%files section, so it is still possible to have the file end up in mode 444 on 
the system.

Having said that, if the file is not supposed to be edited by any user, then 
the file should probably live in /var/lib/ (and not in /etc/) as some kind of 
state-full, transactional, generated, runtime configuration data file.

-- Jeroen
-- 
Jeroen van Meeuwen
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +316 42 801 403
w: http://www.kolabsys.com

pgp: 9342 BF08