[Slackbuilds-users] Sanitizing permissions

Robby Workman rworkman at slackbuilds.org
Fri Jan 31 05:56:30 UTC 2014


On Fri, 3 Jan 2014 23:06:11 -0600
Kyle Guinn <elyk03 at gmail.com> wrote:

> I have been using this chmod command in my scripts to sanitize
> permissions:
> 
> chmod -R u+w,go-w,a+rX-st .
> 
> In plain english, that will give read access to everyone, write access
> only to the owner, exec access to everyone if anyone has it, and
> remove all the special permissions (SUID/SGID/SVTX).
> 
> Recently there was a mass change [1] to convert everything over to the
> find/exec command in the template.  This has a number of bad side
> effects:
> 
> 1.  It's ugly and takes up five lines instead of one.
> 
> 2.  It's slow.  After untarring the source for large packages, I
> notice a long pause with no output from the script, and I start to
> wonder if something is wrong.  If I run that find/exec command against
> the Linux kernel tree:
> 
> real    3m36.196s
> user    2m25.290s
> sys     0m54.330s
> 
> Ouch, three and a half minutes.  The chmod command is almost
> instantaneous on the same set of files:
> 
> real    0m0.463s
> user    0m0.046s
> sys     0m0.336s
> 
> 3.  It doesn't match a lot of combinations.  How about 700, 550, 500,
> 660, or even 000?  What about something unnatural like 574?  Adding
> all these combinations probably won't improve on the ugly or slow
> factors.
> 
> 4.  It doesn't match files with the SUID, SGID, or SVTX (sticky) bits
> set, which I occasionally see in some tarballs.  Those files will
> escape detection and won't have their permissions sanitized.  We would
> have to add even more combinations...
> 
> So, are we going to be forced to use the find/exec command going
> forward, or are we free to switch it back?


I don't see any reason why anyone would be *forced* to use it,
especially given the valid reasons you show.

-RW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20140130/bc5f1e99/attachment.asc>


More information about the SlackBuilds-users mailing list