Permissions for shared libraries in Kerberos

Cy Schubert Cy.Schubert at
Sat Nov 28 02:09:10 EST 2020

In message <20201126190626.GD34187 at>, Benjamin Kaduk writes:
> On Wed, Nov 18, 2020 at 03:04:27PM -0500, Greg Hudson wrote:
> > On 11/18/20 11:31 AM, Ken Hornstein wrote:
> > > I'm wondering if Kerberos should simply default to installing shared
> > > libraries as mode 755/555 everywhere, unless there is a reason to do
> > > otherwise.

In other words some unsuspecting user might ./ and receive some 
strange error. As the FreeBSD package maintainer I'd revert the permissions 
back to 0644. Why? Some unsuspecting user will try something stupid and 
open a ticket. I avoid tickets.

Expect the same from your downstream Linux distros. Gratuitous tickets rob 
support staff time from more productive work. That costs money. I work with 
this in mind at $JOB. I have the same attitude with my open source 
projects. Gratuitous tickets rob time from more fun programming activities.

> > 
> > I think that would be reasonable.  As Russ noted, system policies differ
> > on this point, but toolchains (including libtool) seem to tend in the
> > direction of setting the executable bit, and the system policies are
> > decided at the packaging level.
> > 
> > The way our build system has this set up is per-platform; it's currently
> > +x on HPUX (if building on HPUX even still works) and -x everywhere
> > else.  So we could make the change globally, or just for Linux platforms.
> They end up shared on FreeBSD (via packaging) as well, though I'm not the
> package maintainer for that one and didn't fully track down exactly where
> that happens.  (The default INSTALL_LIB specifies a file mode to use, but
> it was not entirely clear to me that we actually honor INSTALL_LIB just
> from a `git grep`.)

Packaging of krb5 on FreeBSD uses the defaults in ports, that being 0644. 
The only override within the four krb5 ports is for ksu because packaging 
strips the setuid bit and therefore must be set (again) in the packaging 
plist file. In other words the FreeBSD krb5 packages are vanilla krb5. If 
they are changed to 0755 I'll probably adjust the SHAREMODE to 0644 in the 
packaging plist file, simply to avoid a ticket.

Cy Schubert <Cy.Schubert at>
FreeBSD UNIX:  <cy at>   Web:
NTP:           <cy at>    Web:

	The need of the many outweighs the greed of the few.

More information about the krbdev mailing list