Hi folks, Fedora has moved to having /var/lock (now /run/lock) owned by root:lock 0775 rather than root:root 01777. This has the advantage of making a system directory writable only by root or setgid lock programs, rather than the whole world. However, due to the potential for privilege escalation¹² it may be desirable to adopt what has been done subsequently in Fedora: /var/lock root:root 0755 /var/lock/lockdev root:lock 0775 /var/lock/subsys root:root 0755
This mail is to discuss these issues: 1) Addition of a "lock" group as a system group This is a trivial change but requires approval. 2) Alignment of /var/lock with Fedora This will require patching of lockdev (should already be in git). It would also require programs patching to use the new paths if not using lockdev. Are these any other downsides we need to consider? One issue is the existence of badly broken programs³, which make stupid assumptions about lockfiles. ¹http://lists.freedesktop.org/archives/systemd-devel/2011-April/001828.html ²https://bugzilla.redhat.com/show_bug.cgi?id=581884 ³http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637856 Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
