Permissions for shared libraries in Kerberos
Cy.Schubert at cschubert.com
Sat Nov 28 02:09:10 EST 2020
In message <20201126190626.GD34187 at kduck.mit.edu>, Benjamin Kaduk writes:
> On Wed, Nov 18, 2020 at 03:04:27PM -0500, Greg Hudson wrote:
> > On 11/18/20 11:31 AM, Ken Hornstein wrote:
> > > I'm wondering if Kerberos should simply default to installing shared
> > > libraries as mode 755/555 everywhere, unless there is a reason to do
> > > otherwise.
In other words some unsuspecting user might ./libkrb5.so and receive some
strange error. As the FreeBSD package maintainer I'd revert the permissions
back to 0644. Why? Some unsuspecting user will try something stupid and
open a ticket. I avoid tickets.
Expect the same from your downstream Linux distros. Gratuitous tickets rob
support staff time from more productive work. That costs money. I work with
this in mind at $JOB. I have the same attitude with my open source
projects. Gratuitous tickets rob time from more fun programming activities.
> > I think that would be reasonable. As Russ noted, system policies differ
> > on this point, but toolchains (including libtool) seem to tend in the
> > direction of setting the executable bit, and the system policies are
> > decided at the packaging level.
> > The way our build system has this set up is per-platform; it's currently
> > +x on HPUX (if building on HPUX even still works) and -x everywhere
> > else. So we could make the change globally, or just for Linux platforms.
> They end up shared on FreeBSD (via packaging) as well, though I'm not the
> package maintainer for that one and didn't fully track down exactly where
> that happens. (The default INSTALL_LIB specifies a file mode to use, but
> it was not entirely clear to me that we actually honor INSTALL_LIB just
> from a `git grep`.)
Packaging of krb5 on FreeBSD uses the defaults in ports, that being 0644.
The only override within the four krb5 ports is for ksu because packaging
strips the setuid bit and therefore must be set (again) in the packaging
plist file. In other words the FreeBSD krb5 packages are vanilla krb5. If
they are changed to 0755 I'll probably adjust the SHAREMODE to 0644 in the
packaging plist file, simply to avoid a ticket.
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy at nwtime.org> Web: https://nwtime.org
The need of the many outweighs the greed of the few.
More information about the krbdev