Permission Dangerous #183

liberodark · 2019-12-16T16:01:50Z

Hi,

Have install your project great idea more easy than hands.
But you use dangerous permission.
When you try to see files :

ls -lha ananicy.d/
total 40K
drwxr-xr-x   3 pc pc 4,0K déc.  16 14:20 .
drwxr-xr-x 157 root root  12K déc.  16 16:51 ..
-rw-r--r--   1 pc pc  260 déc.  16 14:20 00-cgroups.cgroups
drwxr-xr-x   3 pc pc  12K déc.  16 16:50 00-default
-rw-r--r--   1 pc pc 1,3K déc.  16 14:20 00-types.types
-rw-r--r--   1 pc pc  381 déc.  16 14:20 ananicy.conf

Permission is user permission in /etc/ that is not possible, that open security issues.

Have switch for more security to root :

ls -lha ananicy.d/
total 40K
drwxr-xr-x   3 root root 4,0K déc.  16 14:20 .
drwxr-xr-x 157 root root  12K déc.  16 16:51 ..
-rw-r--r--   1 root root  260 déc.  16 14:20 00-cgroups.cgroups
drwxr-xr-x   3 root root  12K déc.  16 16:50 00-default
-rw-r--r--   1 root root 1,3K déc.  16 14:20 00-types.types
-rw-r--r--   1 root root  381 déc.  16 14:20 ananicy.conf

Same as :

ls -lha /lib/systemd/system/ananicy.service
-rw-r--r-- 1 pc pc 456 déc.  16 14:20 /lib/systemd/system/ananicy.service

If you want ? have possiblity to help you for that on your project.

Best Regards

The text was updated successfully, but these errors were encountered:

liberodark · 2019-12-16T20:24:04Z

One solution for root force package : #187

kfeoktistoff · 2020-06-14T21:19:20Z

Alternative solution for deb distros: #202

The idea is to use post-install hook. Once deb package is installed, the script inside the deb package with name postinst will be run. This script updates ownership of all ananicy files to root:root. The package can be built from any user.

I'd say this solution is temporary just to close the security issue quickly. The proper long-term solution should be setting up a CI pipeline which will build the packages with the proper permissions automatically on each merge into master branch.

Techcable · 2021-03-03T21:11:57Z

Hmm, this doesn't seem to be a problem on my Arch Linux box? I installed via the AUR package ananicy-git.
With ls -lha /etc/ananicy.d, I get

Permissions	Size	User	Date Modified	Name
.rw-r--r--	260	root	3 Mar 13:42	00-cgroups.cgroups
drwxr-xr-x	-	root	3 Mar 13:42	00-default
.rw-r--r--	1.3k	root	3 Mar 13:42	00-types.types
.rw-r--r--	381	root	3 Mar 13:42	ananicy.conf

kfeoktistoff · 2021-03-23T21:40:25Z

@Techcable, yeah, your permissions are correct.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permission Dangerous #183

Permission Dangerous #183

liberodark commented Dec 16, 2019 •

edited

liberodark commented Dec 16, 2019 •

edited

kfeoktistoff commented Jun 14, 2020

Techcable commented Mar 3, 2021 •

edited

kfeoktistoff commented Mar 23, 2021

Permission Dangerous #183

Permission Dangerous #183

Comments

liberodark commented Dec 16, 2019 • edited

liberodark commented Dec 16, 2019 • edited

kfeoktistoff commented Jun 14, 2020

Techcable commented Mar 3, 2021 • edited

kfeoktistoff commented Mar 23, 2021

liberodark commented Dec 16, 2019 •

edited

liberodark commented Dec 16, 2019 •

edited

Techcable commented Mar 3, 2021 •

edited