On Tue, Jan 09, 2018 at 08:19:24PM -0500, Michael Orlitzky wrote: *snip*
> Ultimately, it's not safe to chown/chmod/setfacl/whatever in a directory > that is not writable only by yourself and root. Let me try to phrase this another way. If the directory we are in is not owned by us or root and is group or world writable, checkpath should not change the ownership or permissions of the file passed to it. > Here's a very tedious proposal for OpenRC: > > 1. Create a new helper, called e.g. "newpath", that is like checkpath > but only creates things, and doesn't modify them. > > 2. Have newpath throw a warning if it's used in a directory that is > writable by someone other than root and the OpenRC user. This will > prevent people from creating /foo/bar after /foo has already been > created with owner "foo:foo". In other words, service script > writers will be encouraged to do things in a safe order. Since > we're starting over, this might even be made an error. > > 3. Deprecate checkpath > > 4. Wait a million years for people to switch from checkpath to newpath > > 5. Get rid of checkpath > > I'm not even sure that this solves the problem completely, but it's the > only idea I've got left. I'm not really a fan of creating a new helper unless I have to; I would rather modify checkpath's behaviour. The first stage of that modification would be to release a version that outputs error messages, then convert the error messages to hard failures in a later release. Is this reasonable? If we go this route, what should checkpath start complaining about? William
signature.asc
Description: Digital signature
