On Tue, 2006-03-21 at 16:36 -0800, stucky wrote:
> I'd say it is improper behaviour considering that I might wanna know
> when permissions on such a file have changed without
> getting email alerts every hour cause cfagent itself sets them to 600
> and then to 644. I don't wanna know that so I have to turn the inform
> flag off. However, if someone just messes with /etc/hosts permission
> I'd like to know hence the inform flag.
> Wouldn't it make more sense if cfagent read the 'mode' directive from
> the copy: statement first and then set the permission
> of /etc/hosts.cfnew to that. This way when it moves /etc/hosts.cfnew
> to /etc/hosts it already has the correct permissions.
But what if the user has asked for the file to be more protected than
the original permissions -- then there would be a window in which the
file was available to others. That would be a security breach.