Issue Details (XML | Word | Printable)

Key: CORE-2195
Type: Improvement Improvement
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Alexander Peshkov
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Linux CS install requires access rights review.

Created: 17/Nov/08 06:19 AM   Updated: 08/Nov/09 08:38 PM
Component/s: Installation
Affects Version/s: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.0.4, 2.5 Alpha 1, 2.1.1, 2.0.5
Fix Version/s: 2.5 Beta 1

Time Tracking:
Not Specified

Environment: linux

Planning Status: Unspecified


 Description  « Hide
CS and SS have slightly different access rights assignment. It will be good to unify them as much as possible.

 All   Comments   Work Log   Change History   Version Control   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Mark O'Donohue added a comment - 17/Nov/08 07:51 AM
Hi Alex

What are the different rights?

As I remember there were specifically some different ones, because of the different ways they operated, with the option of CS running as root for instance, and I think possibly some differences since classic client allows direct access, so there may have been some requirement for access to message files and lock file for example, but I am not sure if those are the attributes that you are talking about.

(posted in the hope that you will answer my other question :-) - Mark

Alexander Peshkov added a comment - 17/Nov/08 08:21 AM
They both can run as root in case crazy client chooses such mode.
And certainly there will be differencies - I mean only avoiding unneeded one. Like most of files owned by user firebird in CS. In SS owner is root and it's correct.

Mark O'Donohue added a comment - 18/Nov/08 06:15 AM
Hi ALex

One of the problems was CS files like lock were accessed and updated by all users, not just the Classic Server inetd process.

So for users to access those files they at least needed to be in group "firebird", which gave them privileged access to those files, otherwise the files needed to be world writable.

However there were some clever exploits, where if a user changed those files, I cant remember, but to some odd links, and then server run as normal, running as root, then the server would end up running a shell script that the naughty user had pointed to.

Cheers - Mark