[Slackbuilds-users] Sanitizing permissions

Kyle Guinn elyk03 at gmail.com
Sat Jan 4 05:06:11 UTC 2014


I have been using this chmod command in my scripts to sanitize permissions:

chmod -R u+w,go-w,a+rX-st .

In plain english, that will give read access to everyone, write access
only to the owner, exec access to everyone if anyone has it, and
remove all the special permissions (SUID/SGID/SVTX).

Recently there was a mass change [1] to convert everything over to the
find/exec command in the template.  This has a number of bad side
effects:

1.  It's ugly and takes up five lines instead of one.

2.  It's slow.  After untarring the source for large packages, I
notice a long pause with no output from the script, and I start to
wonder if something is wrong.  If I run that find/exec command against
the Linux kernel tree:

real    3m36.196s
user    2m25.290s
sys     0m54.330s

Ouch, three and a half minutes.  The chmod command is almost
instantaneous on the same set of files:

real    0m0.463s
user    0m0.046s
sys     0m0.336s

3.  It doesn't match a lot of combinations.  How about 700, 550, 500,
660, or even 000?  What about something unnatural like 574?  Adding
all these combinations probably won't improve on the ugly or slow
factors.

4.  It doesn't match files with the SUID, SGID, or SVTX (sticky) bits
set, which I occasionally see in some tarballs.  Those files will
escape detection and won't have their permissions sanitized.  We would
have to add even more combinations...

So, are we going to be forced to use the find/exec command going
forward, or are we free to switch it back?

-Kyle

[1] http://www.slackbuilds.org/cgit/slackbuilds/commit/?id=926b93d445e92be03e62efcd742b2ac88f0d96ed


More information about the SlackBuilds-users mailing list