From owner-freebsd-current@FreeBSD.ORG Wed Feb 29 07:55:09 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95E281065676 for ; Wed, 29 Feb 2012 07:55:09 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3ABA28FC15 for ; Wed, 29 Feb 2012 07:55:08 +0000 (UTC) Received: by iahk25 with SMTP id k25so1807893iah.13 for ; Tue, 28 Feb 2012 23:55:08 -0800 (PST) Received-SPF: pass (google.com: domain of jhellenthal@dataix.net designates 10.50.242.5 as permitted sender) client-ip=10.50.242.5; Authentication-Results: mr.google.com; spf=pass (google.com: domain of jhellenthal@dataix.net designates 10.50.242.5 as permitted sender) smtp.mail=jhellenthal@dataix.net; dkim=pass header.i=jhellenthal@dataix.net Received: from mr.google.com ([10.50.242.5]) by 10.50.242.5 with SMTP id wm5mr4206585igc.40.1330502108519 (num_hops = 1); Tue, 28 Feb 2012 23:55:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=gY2cKvseUGsNEXAq5doluvY6R22OF2aBrljimzMcV8s=; b=I42XbPg1IxmSV/qRqBp764hHcFwKdKFcE5uRSQXQp2JbtQFJ0N8qarIOfTKIH3QD2u dxa4FrLwnoXlTR9s4KrtX5bn3GkNl9LUiEN5hc+PMH5mwrInCuHJGjIQ0sgFWheC5VdI eWHM+6bd+B3kl4SM7glBITPUBI48wrZJ5fFMQ= Received: by 10.50.242.5 with SMTP id wm5mr3416760igc.40.1330500304219; Tue, 28 Feb 2012 23:25:04 -0800 (PST) Received: from DataIX.net (adsl-99-181-159-39.dsl.klmzmi.sbcglobal.net. [99.181.159.39]) by mx.google.com with ESMTPS id em2sm16012917igc.0.2012.02.28.23.25.02 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 28 Feb 2012 23:25:03 -0800 (PST) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q1T7OxJY010144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Feb 2012 02:24:59 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q1T7OwbB009564; Wed, 29 Feb 2012 02:24:58 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Date: Wed, 29 Feb 2012 02:24:58 -0500 From: Jason Hellenthal To: jb , freebsd-current@freebsd.org Message-ID: <20120229072458.GA95427@DataIX.net> References: <20120228092244.GB48977@mech-cluster241.men.bris.ac.uk> <20120228162447.GB58311@mech-cluster241.men.bris.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120228162447.GB58311@mech-cluster241.men.bris.ac.uk> X-Gm-Message-State: ALoCoQm7JiO8O726hGJmB78Kgb5JVYAkdKAx6XK6gi7iYPhwWnx6RmAh75EUUSU2K5YXqYaGH+Nt Cc: Subject: Re: negative group permissions? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 07:55:09 -0000 On Tue, Feb 28, 2012 at 04:24:47PM +0000, Anton Shterenlikht wrote: > On Tue, Feb 28, 2012 at 03:07:43PM +0000, jb wrote: > > Anton Shterenlikht bristol.ac.uk> writes: > > > > > > > > This was discussed in questions@ with no resolution. > > > Anybody here can advise further? > > > ... > > > > Regarding file .seq or .SEQ > > > > It is an intermediate-processing (run-time) lockfile found in various spool > > dirs and their sub-dirs, like > > /var/spool/cron/ > > /at, > > /lpd, etc. > > It is used to save job# by the respective programs (cron, at, etc). > > You can find a ref to .SEQ in file at.c in at port sources. > > I did not see ref to .seq in lpr or cron port sources. > > > > The periodic security check > > /etc/periodic/security/110.neggrpperm > > checks for risque condition like > > ! -perm +010 -and -perm +001 > > > > The file should not be executable, according to its purpose. > > > > So the lpr.c should be changed from > > if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) { > > to > > if ((fd = open(buf, O_RDWR|O_CREAT, 0660)) < 0) { > > > > File a bug report. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/165533 The only thing that is wrong here is the misconception of negative permissions. This bit of code tracks all the way back to 4.3BSD and probably further while LPR dates back to 3BSD. Nobody programs 661 for no reason and changing that code will most likely have a negative impact and I do not see that as a real answer to this problem. Above I see your .seq file created 0641 so not only do you have a negative permission on the file you are also missing a bit ;). You might want to review some of your other permissions to see if anything is missing. That has been explained all over the net for the differences of x86 & x86_64 systems. I attempted to search around for the history of 661 on .seq but cannot find any at the moment. E_LACKINGSLEEP -- ;s =;