[Slackbuilds-users] Sanitizing permissions
Robby Workman
rworkman at slackbuilds.org
Fri Jan 31 05:56:30 UTC 2014
On Fri, 3 Jan 2014 23:06:11 -0600
Kyle Guinn <elyk03 at gmail.com> wrote:
> I have been using this chmod command in my scripts to sanitize
> permissions:
>
> chmod -R u+w,go-w,a+rX-st .
>
> In plain english, that will give read access to everyone, write access
> only to the owner, exec access to everyone if anyone has it, and
> remove all the special permissions (SUID/SGID/SVTX).
>
> Recently there was a mass change [1] to convert everything over to the
> find/exec command in the template. This has a number of bad side
> effects:
>
> 1. It's ugly and takes up five lines instead of one.
>
> 2. It's slow. After untarring the source for large packages, I
> notice a long pause with no output from the script, and I start to
> wonder if something is wrong. If I run that find/exec command against
> the Linux kernel tree:
>
> real 3m36.196s
> user 2m25.290s
> sys 0m54.330s
>
> Ouch, three and a half minutes. The chmod command is almost
> instantaneous on the same set of files:
>
> real 0m0.463s
> user 0m0.046s
> sys 0m0.336s
>
> 3. It doesn't match a lot of combinations. How about 700, 550, 500,
> 660, or even 000? What about something unnatural like 574? Adding
> all these combinations probably won't improve on the ugly or slow
> factors.
>
> 4. It doesn't match files with the SUID, SGID, or SVTX (sticky) bits
> set, which I occasionally see in some tarballs. Those files will
> escape detection and won't have their permissions sanitized. We would
> have to add even more combinations...
>
> So, are we going to be forced to use the find/exec command going
> forward, or are we free to switch it back?
I don't see any reason why anyone would be *forced* to use it,
especially given the valid reasons you show.
-RW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20140130/bc5f1e99/attachment.asc>
More information about the SlackBuilds-users
mailing list