pacman doesn't preserve permissions

LB06 · 2005-10-29 14:52:16

Hello,

I recently started to grant some people access to my server via SSH. In order to tighten the security a bit (or at least the perception of it), I decided to set the perms of most of my dirs in / and / itself to root:wheel 0751. Unfortunately, pacman reset the permissions of the dirs that were involved in the -Syu procedure back to root:root 0755.

Is there any way that I can get pacman to leave the permissions as they are?

LB06 · 2005-10-31 16:45:39

Anyone?

High|ander · 2005-10-31 18:02:10

maybe because it thinks that it is a security-risk?

Why do you want root:wheel?

LB06 · 2005-10-31 18:39:45

High|ander wrote:

maybe because it thinks that it is a security-risk?
Why do you want root:wheel?

Because I, as a system admin, do need file listing in /usr /home /var and so on. If I leave it at root:root, I have the same restrictions as my users, which is what I don't want.

Apart from that, I do not believe it is done because of security reasons. After all, 0751 is less permissive than 0755 (standard), and still pacman keeps changing it back to 0755.

Thanks for anwer, anyway!

T-Dawg · 2005-10-31 18:53:48

LB06 wrote:

Because I, as a system admin, do need file listing in /usr /home /var and so on. If I leave it at root:root, I have the same restrictions as my users, which is what I don't want.

whats wrong with sudo?

LB06 · 2005-10-31 19:10:09

Penguin wrote:

LB06 wrote:
Because I, as a system admin, do need file listing in /usr /home /var and so on. If I leave it at root:root, I have the same restrictions as my users, which is what I don't want.
whats wrong with sudo?

I could use sudo, although I do not like the idea of having to become root to get tab completion and file listing working. Then I would have to be root all the time and that reminds me of a certain OS with notoriously bad security record.

And that does not solve my problem, as I will still loose permissions with every upgrade anyway.

Snowman · 2005-10-31 19:11:01

LB06 wrote:

Is there any way that I can get pacman to leave the permissions as they are?

I'm afraid no. That how pacman works. When a package is made the system directories gets permissions root:root. When you install a package, pacman untars it and the permissions are reset to root:root. I would suggest using a small script to upgrade your system:

#!/bin/sh
pacman -Syu
chmod ...

where the last line is modified accordingly. That way, after each upgrade, the permissions will be set to your liking.

LB06 · 2005-10-31 19:14:38

Snowman wrote:

LB06 wrote:
Is there any way that I can get pacman to leave the permissions as they are?
I'm afraid no. That how pacman works. When a package is made the system directories gets permissions root:root. When you install a package, pacman untars it and the permissions are reset to root:root. I would suggest using a small script to upgrade your system:
#!/bin/sh
pacman -Syu
chmod ...
where the last line is modified accordingly. That way, after each upgrade, the permissions will be set to your liking.

I am really sorry to hear that. I also thought about such a script, but that seemed like a workaround to me.

paranoos · 2005-10-31 20:40:27

i had a similar problem, but with apache resetting permissions to the /home/httpd/html directory. I wanted my users to be able to copy files into there, without having to sudo (it was silly to do sudo cp).

the solution for me was to add this line to /etc/pacman.conf
NoExtract = home/httpd/html/

unfortunately, i don't think that will be much use to you, since you'd have to specify all the directories in your tree.

leaving it as 755 shouldn't be a problem... why shouldn't normal users be allowed to get a directory listing at / ?

LB06 · 2005-10-31 21:16:18

I just want everything to be as tightly secured as possible. I know it doesn't add any real security directly (more security through obscurity), but I initially I thought it would be a low risk low maintainance kind of security enhancement.

It prevents n00bs from messing around on my system. I want everybody to whom I grant SSH access to feel as locked down as possible. It might also scare off potential crackers.

Btw it's not only about the root dir, but also about /var, /usr, /usr/*[except bin], /home, /etc, etc

cactus · 2005-11-01 00:23:57

It doesn't add security, and is a dirty hack for the most part.
A better solution would be to put ssh users in a reduced shell of some kind. Search google for bash restricted shells, ssh shell jails, and so forth. That would be my recommendation.

Arch Linux

#1 2005-10-29 14:52:16

pacman doesn't preserve permissions

#2 2005-10-31 16:45:39

Re: pacman doesn't preserve permissions

#3 2005-10-31 18:02:10

Re: pacman doesn't preserve permissions

#4 2005-10-31 18:39:45

Re: pacman doesn't preserve permissions

#5 2005-10-31 18:53:48

Re: pacman doesn't preserve permissions

#6 2005-10-31 19:10:09

Re: pacman doesn't preserve permissions

#7 2005-10-31 19:11:01

Re: pacman doesn't preserve permissions

#8 2005-10-31 19:14:38

Re: pacman doesn't preserve permissions

#9 2005-10-31 20:40:27

Re: pacman doesn't preserve permissions

#10 2005-10-31 21:16:18

Re: pacman doesn't preserve permissions

#11 2005-11-01 00:23:57

Re: pacman doesn't preserve permissions

Board footer