Hi Thomas,
For my setup I would be fine with the the most strict setting. More
security is walkways better. However, it can be standard practice to have
monitoring or maintenance scripts access things with a different user in
the same group.
We keep talking about having a web interface to things like the corpus for
clients (business continuity in the event their server is offline). That
would need access to some files a a different user but I wouldn't want to
enable everyone permissions for the reasons asked cited - accidental or
malicious code execution.
My local domains is also generated by an external script that needs access.
I would favour ASSP not altering permissions. If it did not have access to
something it needs to run then exit with an error (mysql does this). If it
thinks something has too many permissions then complain loudly about it &
maybe provide the admin with the ability to specify file a list of files
which ASSP will not complain about in case they really have a need to leave
things less secure.
All the best,
Colin Waring
On 6 Feb 2017 7:24 a.m., "Thomas Eckardt" <thomas.ecka...@thockar.com>
wrote:
> One question Doug,
>
> There is a difference beween what assp requires to run and what seem to be
> fine for admins .
> Some implementations are using external (r/w) access to files and folders
> - so I think, giving the group the same rights like the owner seems to be
> OK - however, this is not really required by assp.
>
> required my sugg. admins like
> folders 0700 0770 0777 or 0775
> files 0600 0660 0660 or 0666
> exec's 0700 0760 0770 or 0750 or 755
> or 775 or 0777
>
> Is it OK to remove the public access for all assp components?
> Or would it be better to leave the mask untouched, if the existing rights
> are more weak than required.
>
>
> Thomas
>
>
>
> Von: Doug Lytle <supp...@drdos.info>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 05.02.2017 16:00
> Betreff: Re: [Assp-test] fixes in assp 2.5.6 build 17036
> ------------------------------
>
>
>
> On 02/05/2017 09:50 AM, Thomas Eckardt wrote:
> > At the end - is this really a problem?
>
> Yes; non-executable file type should not have it's execute bit set.
> Scripts and programs, yes, but not the .bak nor .txt or even the .db
>
> Code accidentally or maliciously being entered would run.
>
> Just my opinion,
>
> Doug
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
