From owner-freebsd-current@FreeBSD.ORG Wed Feb 29 15:00:28 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EEA441065675 for ; Wed, 29 Feb 2012 15:00:25 +0000 (UTC) (envelope-from freebsd@damnhippie.dyndns.org) Received: from qmta13.emeryville.ca.mail.comcast.net (qmta13.emeryville.ca.mail.comcast.net [76.96.27.243]) by mx1.freebsd.org (Postfix) with ESMTP id E5D848FC0A for ; Wed, 29 Feb 2012 15:00:24 +0000 (UTC) Received: from omta24.emeryville.ca.mail.comcast.net ([76.96.30.92]) by qmta13.emeryville.ca.mail.comcast.net with comcast id fqAi1i00E1zF43QADr0QeV; Wed, 29 Feb 2012 15:00:24 +0000 Received: from damnhippie.dyndns.org ([24.8.232.202]) by omta24.emeryville.ca.mail.comcast.net with comcast id fr0P1i00d4NgCEG8kr0QK4; Wed, 29 Feb 2012 15:00:24 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id q1TF0LKF007569; Wed, 29 Feb 2012 08:00:21 -0700 (MST) (envelope-from freebsd@damnhippie.dyndns.org) From: Ian Lepore To: jb In-Reply-To: References: <20120228092244.GB48977@mech-cluster241.men.bris.ac.uk> <20120228162447.GB58311@mech-cluster241.men.bris.ac.uk> <20120229072458.GA95427@DataIX.net> <20120229085716.GA66484@mech-cluster241.men.bris.ac.uk> Content-Type: text/plain; charset="us-ascii" Date: Wed, 29 Feb 2012 08:00:21 -0700 Message-ID: <1330527621.1023.27.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org Subject: Re: negative group permissions? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 15:00:29 -0000 On Wed, 2012-02-29 at 13:21 +0000, jb wrote: > jb gmail.com> writes: > > > ... > > I would suggest (if you can) that you change the .seq permissions to 0664 and > > watch what happens to it - the purpose is to narrow down who/what changed its > > mode. > > Some history. logs. and some ad hoc "watch script" would do it. > > Take a look at "notify" feature (file, dir, event). > http://www.freebsd.org/cgi/ports.cgi?query=notify&stype=all > jb I don't understand why everyone is focused on the 641 mode the file ends up with. The code creates the file using 0661, and under a umask of 022 you end up with a file with 0641 permissions. How the write bit disppeared from the group permissions doesn't seem to be germane to the real question of why the code specifies world-exec access. I don't think it's a legitimate attempt to leverage the negative permissions quirk, because it doesn't effectively do so. It's not a directory or executable file in the first place, so making it executable for everyone except the owner and group is not some sort of subtle security trick, it's just meaningless. I think the code is long overdue for a fix to 0660 permissions when creating the file. -- Ian