gnu.cfengine.help
[Top] [All Lists]

Re: copy function creates mode 600 by default ?

Subject: Re: copy function creates mode 600 by default ?
From: Mark Burgess
Date: Wed, 22 Mar 2006 09:56:15 +0100
Newsgroups: gnu.cfengine.help
On Tue, 2006-03-21 at 16:36 -0800, stucky wrote:
> I'd say it is improper behaviour considering that I might wanna know
> when permissions on such a file have changed without
> getting email alerts every hour cause cfagent itself sets them to 600
> and then to 644. I don't wanna know that so I have to turn the inform
> flag off. However, if someone just messes with /etc/hosts permission
> I'd like to know hence the inform flag.
>
> Wouldn't it make more sense if cfagent read the 'mode' directive from
> the copy: statement first and then set the permission
> of /etc/hosts.cfnew to that. This way when it moves /etc/hosts.cfnew
> to /etc/hosts it already has the correct permissions.

But what if the user has asked for the file to be more protected than
the original permissions -- then there would be a window in which the
file was available to others. That would be a security breach.

<Prev in Thread] Current Thread [Next in Thread>