[Slackbuilds-users] Sanitizing permissions
rworkman at slackbuilds.org
Fri Jan 31 05:56:30 UTC 2014
On Fri, 3 Jan 2014 23:06:11 -0600
Kyle Guinn <elyk03 at gmail.com> wrote:
> I have been using this chmod command in my scripts to sanitize
> chmod -R u+w,go-w,a+rX-st .
> In plain english, that will give read access to everyone, write access
> only to the owner, exec access to everyone if anyone has it, and
> remove all the special permissions (SUID/SGID/SVTX).
> Recently there was a mass change  to convert everything over to the
> find/exec command in the template. This has a number of bad side
> 1. It's ugly and takes up five lines instead of one.
> 2. It's slow. After untarring the source for large packages, I
> notice a long pause with no output from the script, and I start to
> wonder if something is wrong. If I run that find/exec command against
> the Linux kernel tree:
> real 3m36.196s
> user 2m25.290s
> sys 0m54.330s
> Ouch, three and a half minutes. The chmod command is almost
> instantaneous on the same set of files:
> real 0m0.463s
> user 0m0.046s
> sys 0m0.336s
> 3. It doesn't match a lot of combinations. How about 700, 550, 500,
> 660, or even 000? What about something unnatural like 574? Adding
> all these combinations probably won't improve on the ugly or slow
> 4. It doesn't match files with the SUID, SGID, or SVTX (sticky) bits
> set, which I occasionally see in some tarballs. Those files will
> escape detection and won't have their permissions sanitized. We would
> have to add even more combinations...
> So, are we going to be forced to use the find/exec command going
> forward, or are we free to switch it back?
I don't see any reason why anyone would be *forced* to use it,
especially given the valid reasons you show.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
More information about the SlackBuilds-users