Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 08 Jul 2014 14:31:02 -0400
From:      Lowell Gilbert <freebsd-ports-local@be-well.ilk.org>
To:        Kevin Oberman <rkoberman@gmail.com>
Cc:        mexas@bris.ac.uk, Brooks Davis <brooks@freebsd.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org>
Subject:   Re: Gnome negative group permissions
Message-ID:  <44ha2rity1.fsf@be-well.ilk.org>
In-Reply-To: <CAN6yY1uyePJTmdEoWbgreZ1zarsCfMFq10hZdEaNr8PgyRuaaw@mail.gmail.com> (Kevin Oberman's message of "Tue, 8 Jul 2014 10:01:53 -0700")
References:  <201407071824.s67IOXer057353@mech-cluster241.men.bris.ac.uk> <CAN6yY1uyePJTmdEoWbgreZ1zarsCfMFq10hZdEaNr8PgyRuaaw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Kevin Oberman <rkoberman@gmail.com> writes:

> It's just that there are cases where negative group permissions are
> intended and this is such a case. If you don't want to see them, add
> "daily_status_security_neggrpperm_enable="NO"  to /etc/periodic.conf.

I added a hack to work around this without disabling the check
completely. Anything wrong with something of this sort?


--- /etc/periodic/security/110.neggrpperm	2014-07-08 14:12:31.000000000 -0400
+++ /usr/src/etc/periodic/security/110.neggrpperm	2014-06-03 19:49:13.000000000 -0400
@@ -37,26 +37,18 @@
 
 security_daily_compat_var security_status_neggrpperm_enable
 
-
 rc=0
 
 if check_yesno_period security_status_neggrpperm_enable
 then
 	echo ""
 	echo 'Checking negative group permissions:'
-
-	if [ -z ${security_neggrperm_ignore} ] ; then
-	    echo security_neggrperm_ignore not set
-	    security_neggrperm_ignore="/nonexistent"
-	fi
-
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
 	n=$(find -sx $MP /dev/null -type f \
 	    \( \( ! -perm +010 -and -perm +001 \) -or \
 	    \( ! -perm +020 -and -perm +002 \) -or \
 	    \( ! -perm +040 -and -perm +004 \) \) \
-	    -exec ls -liTd \{\} \+ | grep -v "${security_neggrperm_ignore}" | \
-	    tee /dev/stderr | wc -l)
+	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0
 fi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ha2rity1.fsf>