Permissions for shared libraries in Kerberos
Cy.Schubert at cschubert.com
Sat Nov 28 10:43:21 EST 2020
In message <87zh32gc2e.fsf at hope.eyrie.org>, Russ Allbery writes:
> Cy Schubert <Cy.Schubert at cschubert.com> writes:
> > In other words some unsuspecting user might ./libkrb5.so and receive
> > some strange error. As the FreeBSD package maintainer I'd revert the
> > permissions back to 0644. Why? Some unsuspecting user will try something
> > stupid and open a ticket. I avoid tickets.
> > Expect the same from your downstream Linux distros.
> Clearly not RPM-based distros, given the reported behavior of rpm, and
> that's quite a lot of them!
> Debian-derived distros already handle this via dh_fixperms, so it doesn't
> matter what Kerberos does by default.
I can do the same in each FreeBSD port's pkg-plist file. You could do what
Ports that use $(INSTALL), defaulting to /usr/bin/install, use 0644 by
default. But upstream software, e.g. krb5, that uses its own install
targets can be "fixed up" as discussed above. So yes, whatever you do here
doesn't have to affect my packaging of the software for FreeBSD.
> That does leave Arch and Gentoo (and probably others that aren't occuring
> to me at the moment), but I suspect this won't be a big deal for them.
I don't concur either but I can work around it if needed.
The reason I don't concur is: but why? Why do this in the first place? It
introduces "breakage" (in itself) for no good reason. But in the bigger
picture, I can work around this and IMO not really worth arguing about.
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy at nwtime.org> Web: https://nwtime.org
The need of the many outweighs the greed of the few.
More information about the krbdev