From owner-freebsd-ports@FreeBSD.ORG Tue Jul 8 17:01:53 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ABABC62C; Tue, 8 Jul 2014 17:01:53 +0000 (UTC) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D29B297C; Tue, 8 Jul 2014 17:01:53 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id y10so7424314pdj.22 for ; Tue, 08 Jul 2014 10:01:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=37GGXKBAOl7SAcpX5sCYS1xh4Z4wvFrXQXbuhjsT5SY=; b=ucyMTgAvI/stRFWrRTjJBSdFqEC930yXh2ouhVdGW76j5Uy9XONItqwoJnYRpccZhD gqB/caZ4kG9W4CS68YjYuD0DYY3ijBX9R4ACIzgF8iindUVASLeB41VsrE+G8vrPamYz MhgKSOGeEDU9nZ3h2wRRmrQfPmmDDFU3czDiJWqE/dYpRMk+aOSnUDBS9X4aHsezTEhM //qNil0ql6p8b0kwbyP4EwQsIstc4ru7EKTZM6P/RIOYX7RJFMmT1rqzpXb7eT4cdOxx NoHGHB/+hIf4X0acj9IBqqfh7dupKh5+EXHuISXp2R/w8D9p2M2HEJSTVzRKqWmvI66k 2Z4Q== MIME-Version: 1.0 X-Received: by 10.70.91.195 with SMTP id cg3mr6150345pdb.73.1404838913116; Tue, 08 Jul 2014 10:01:53 -0700 (PDT) Sender: kob6558@gmail.com Received: by 10.66.88.227 with HTTP; Tue, 8 Jul 2014 10:01:53 -0700 (PDT) In-Reply-To: <201407071824.s67IOXer057353@mech-cluster241.men.bris.ac.uk> References: <201407071824.s67IOXer057353@mech-cluster241.men.bris.ac.uk> Date: Tue, 8 Jul 2014 10:01:53 -0700 X-Google-Sender-Auth: q33gBRclwu2jc1nz6dH1IXQUeuo Message-ID: Subject: Re: Gnome negative group permissions From: Kevin Oberman To: mexas@bris.ac.uk Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Brooks Davis , FreeBSD Ports ML X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2014 17:01:53 -0000 On Mon, Jul 7, 2014 at 11:24 AM, Anton Shterenlikht wrote: > From a daily log: > > Checking negative group permissions: > 55224447 -rw-r--r-x 1 root wheel 3672 Jun 19 23:55:12 2014 > /usr/local/share/gnome/help/services-admin/nl/legal.xml > 55224448 -rw-r--r-x 1 root wheel 7330 Jun 19 23:55:12 2014 > /usr/local/share/gnome/help/services-admin/nl/services-admin.xml > 55224604 -rw-r--r-x 1 root wheel 3672 Jun 19 23:55:13 2014 > /usr/local/share/gnome/help/time-admin/nl/legal.xml > 55224605 -rw-r--r-x 1 root wheel 6746 Jun 19 23:55:13 2014 > /usr/local/share/gnome/help/time-admin/nl/time-admin.xml > > Are these permissions really intended? > Or does the port installation have to be fixed? > > Anton > Yes, they are intended. Feel free to google for prior discussions. There is NOTHING wrong with "negative" permissions and they are desirable in many cases. The test for negative permissions was originally added to periodic/security set to not run by default. in /etc/defaults/periodic.conf. In 2011 the author, brooks@, changed the default to YES and everyone running any port that used negative group permissions started getting these errors. The change to a default of YES contained no reason for the change, but the commit message for the test does explain why negative group permissions are usually not correct. "Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean." It's just that there are cases where negative group permissions are intended and this is such a case. If you don't want to see them, add "daily_status_security_neggrpperm_enable="NO" to /etc/periodic.conf. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com