Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Jul 2014 10:01:53 -0700
From:      Kevin Oberman <rkoberman@gmail.com>
To:        mexas@bris.ac.uk
Cc:        Brooks Davis <brooks@freebsd.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org>
Subject:   Re: Gnome negative group permissions
Message-ID:  <CAN6yY1uyePJTmdEoWbgreZ1zarsCfMFq10hZdEaNr8PgyRuaaw@mail.gmail.com>
In-Reply-To: <201407071824.s67IOXer057353@mech-cluster241.men.bris.ac.uk>
References:  <201407071824.s67IOXer057353@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jul 7, 2014 at 11:24 AM, Anton Shterenlikht <mexas@bris.ac.uk>
wrote:

> From a daily log:
>
> Checking negative group permissions:
> 55224447 -rw-r--r-x  1 root  wheel  3672 Jun 19 23:55:12 2014
> /usr/local/share/gnome/help/services-admin/nl/legal.xml
> 55224448 -rw-r--r-x  1 root  wheel  7330 Jun 19 23:55:12 2014
> /usr/local/share/gnome/help/services-admin/nl/services-admin.xml
> 55224604 -rw-r--r-x  1 root  wheel  3672 Jun 19 23:55:13 2014
> /usr/local/share/gnome/help/time-admin/nl/legal.xml
> 55224605 -rw-r--r-x  1 root  wheel  6746 Jun 19 23:55:13 2014
> /usr/local/share/gnome/help/time-admin/nl/time-admin.xml
>
> Are these permissions really intended?
> Or does the port installation have to be fixed?
>
> Anton
>

Yes, they are intended. Feel free to google for prior discussions.

There is NOTHING wrong with "negative" permissions and they are desirable
in many cases. The test for negative permissions was originally added to
periodic/security set to not run by default. in
/etc/defaults/periodic.conf. In 2011 the author, brooks@, changed the
default to YES and everyone running any port that used negative group
permissions started getting these errors.

The change to a default of YES contained no reason for the change, but the
commit message for the test does explain why negative group permissions are
usually not correct.

"Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone).  These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean."

It's just that there are cases where negative group permissions are
intended and this is such a case. If you don't want to see them, add
"daily_status_security_neggrpperm_enable="NO"  to /etc/periodic.conf.
-- 
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1uyePJTmdEoWbgreZ1zarsCfMFq10hZdEaNr8PgyRuaaw>