You are not logged in.

#1 2005-10-29 14:52:16

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

pacman doesn't preserve permissions

Hello,

I recently started to grant some people access to my server via SSH. In order to tighten the security a bit (or at least the perception of it), I decided to set the perms of most of my dirs in / and / itself to root:wheel 0751. Unfortunately, pacman reset the permissions of the dirs that were involved in the -Syu procedure back to root:root 0755.

Is there any way that I can get pacman to leave the permissions as they are?

Offline

#2 2005-10-31 16:45:39

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

Re: pacman doesn't preserve permissions

Anyone?

Offline

#3 2005-10-31 18:02:10

High|ander
Member
From: Skövde, Sweden
Registered: 2005-10-28
Posts: 188
Website

Re: pacman doesn't preserve permissions

maybe because it thinks that it is a security-risk?

Why do you want root:wheel?


When death smiles at you, all you can do is smile back!
Blog

Offline

#4 2005-10-31 18:39:45

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

Re: pacman doesn't preserve permissions

High|ander wrote:

maybe because it thinks that it is a security-risk?

Why do you want root:wheel?

Because I, as a system admin, do need file listing in /usr /home /var and so on. If I leave it at root:root, I have the same restrictions as my users, which is what I don't want.

Apart from that, I do not believe it is done because of security reasons. After all, 0751 is less permissive than 0755 (standard), and still pacman keeps changing it back to 0755.

Thanks for anwer, anyway!

Offline

#5 2005-10-31 18:53:48

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: pacman doesn't preserve permissions

LB06 wrote:

Because I, as a system admin, do need file listing in /usr /home /var and so on. If I leave it at root:root, I have the same restrictions as my users, which is what I don't want.

whats wrong with sudo?

Offline

#6 2005-10-31 19:10:09

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

Re: pacman doesn't preserve permissions

Penguin wrote:
LB06 wrote:

Because I, as a system admin, do need file listing in /usr /home /var and so on. If I leave it at root:root, I have the same restrictions as my users, which is what I don't want.

whats wrong with sudo?

I could use sudo, although I do not like the idea of having to become root to get tab completion and file listing working. Then I would have to be root all the time and that reminds me of a certain OS with notoriously bad security record. smile

And that does not solve my problem, as I will still loose permissions with every upgrade anyway.

Offline

#7 2005-10-31 19:11:01

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: pacman doesn't preserve permissions

LB06 wrote:

Is there any way that I can get pacman to leave the permissions as they are?

I'm afraid no. That how pacman works. When a package is made the system directories gets permissions root:root. When you install a package, pacman untars it and the permissions are reset to root:root.  I would suggest using a small script to upgrade your system:

#!/bin/sh
pacman -Syu
chmod ...

where the last line is modified accordingly. That way, after each upgrade, the permissions will be set to your liking.

Offline

#8 2005-10-31 19:14:38

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

Re: pacman doesn't preserve permissions

Snowman wrote:
LB06 wrote:

Is there any way that I can get pacman to leave the permissions as they are?

I'm afraid no. That how pacman works. When a package is made the system directories gets permissions root:root. When you install a package, pacman untars it and the permissions are reset to root:root.  I would suggest using a small script to upgrade your system:

#!/bin/sh
pacman -Syu
chmod ...

where the last line is modified accordingly. That way, after each upgrade, the permissions will be set to your liking.

I am really sorry to hear that. I also thought about such a script, but that seemed like a workaround to me.

Offline

#9 2005-10-31 20:40:27

paranoos
Member
From: thornhill.on.ca
Registered: 2004-07-22
Posts: 442

Re: pacman doesn't preserve permissions

i had a similar problem, but with apache resetting permissions to the /home/httpd/html directory. I wanted my users to be able to copy files into there, without having to sudo (it was silly to do sudo cp).

the solution for me was to add this line to /etc/pacman.conf
NoExtract = home/httpd/html/

unfortunately, i don't think that will be much use to you, since you'd have to specify all the directories in your tree.

leaving it as 755 shouldn't be a problem... why shouldn't normal users be allowed to get a directory listing at / ?

Offline

#10 2005-10-31 21:16:18

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

Re: pacman doesn't preserve permissions

I just want everything to be as tightly secured as possible. I know it doesn't add any real security directly (more security through obscurity), but I initially I thought it would be a low risk low maintainance kind of security enhancement.

It prevents n00bs from messing around on my system. I want everybody to whom I grant SSH access to feel as locked down as possible. It might also scare off potential crackers.

Btw it's not only about the root dir, but also about /var, /usr, /usr/*[except bin],  /home, /etc, etc smile

Offline

#11 2005-11-01 00:23:57

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: pacman doesn't preserve permissions

It doesn't add security, and is a dirty hack for the most part.
A better solution would be to put ssh users in a reduced shell of some kind. Search google for bash restricted shells, ssh shell jails, and so forth. That would be my recommendation.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB