[Kolab-devel] [PATCH] better modes
Thomas Arendsen Hein
thomas at intevation.de
Thu Jun 17 13:03:25 CEST 2010
* Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com> [20100613 13:03]:
> Thomas Arendsen Hein wrote:
> > > Quoting "Jeroen van Meeuwen (Kolab Systems)" <vanmeeuwen at kolabsys.com>:
> > >> 1) Installing a file chmod 444 prevents build processes from changing any
> > >> ownership attributes and modes
> >
> > And I am still unsure about that.
> >
> > I do not understand "444 prevents build processes from changing any
> > ownership attributes and modes". What exactly does not work?
>
> The following does not work, which is what the make install process attempts
> to do:
>
> $ touch something
> $ chmod 444 something
> $ chown apache something
> chown: changing ownership of `something': Operation not permitted
>
> Since the build process runs under user permissions, the build fails.
from chmod(2):
| Only a privileged process (Linux: one with the CAP_CHOWN capability)
| may change the owner of a file. The owner of a file may change the
| group of the file to any group of which that owner is a member. A
| privileged process (Linux: with CAP_CHOWN) may change the group
| arbitrarily.
Additionally, as a non-root user I can change the group of a
read-only file to any other group I belong to.
In other words: If mode 444 affects the usage of chown on your
system, this is something special to your system, so you should tell
us what it is.
> RPM allows for changing the exact permissions to ship the file with in the
> %files section, so it is still possible to have the file end up in mode 444 on
> the system.
>
> Having said that, if the file is not supposed to be edited by any user, then
> the file should probably live in /var/lib/ (and not in /etc/) as some kind of
> state-full, transactional, generated, runtime configuration data file.
I think we can drop 444 as soon as it lives outside (/kolab)/etc,
but as long as it is here, mode 444 gives a good hint that you
should not edit the file directly.
Regards,
Thomas Arendsen Hein
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the devel
mailing list