You are viewing a plain text version of this content. The canonical link for it is here.

Posted to sysadmins@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2017/11/27 15:00:25 UTC

[Bug 7508] New: Suboptimal permissions of mirrored rulesets files (on sa-update mirrors)

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7508

            Bug ID: 7508
           Summary: Suboptimal permissions of mirrored rulesets files (on
                    sa-update mirrors)
           Product: Spamassassin
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: sysadmins
          Assignee: sysadmins@spamassassin.apache.org
          Reporter: Jens.Schleusener@t-online.de
  Target Milestone: Undefined

The mirrored rulesets tarball files (and the according ASC and SHA1 files) have
odd and heterogeneous permissions. Here an extract:

 -rw-rw-r--      11 Nov 27 14:17 MIRROR.CHECK
 -rw-r--r--     100 Nov 27 09:31 1816413.tar.gz.sha1
 -rw-r--r--     819 Nov 27 09:31 1816413.tar.gz.asc
 -rw-r--r--  207813 Nov 27 09:31 1816413.tar.gz
 -r-xr--r--     819 Nov 27 03:55 1816372.tar.gz.asc
 -r-xr--r--     113 Nov 27 03:55 1816372.tar.gz.sha1
 -r-xr--r--  275070 Nov 27 03:55 1816372.tar.gz
 -rw-r--r--    1309 Nov 26 22:30 MIRRORED.BY
 ...
 -rw-rw-r--     100 Jun  4 10:30 1797561.tar.gz.sha1
 -rw-rw-r--     819 Jun  4 10:30 1797561.tar.gz.asc
 -rw-rw-r--  206546 Jun  4 10:30 1797561.tar.gz
 ...
 -rwxrwxr-x      56 Feb 15  2007 507739.tar.gz.sha1
 -rwxrwxr-x  126897 Feb 15  2007 507739.tar.gz
 -rwxrwxr-x     823 Feb 15  2007 507739.tar.gz.asc

In my eyes the execution-flags are totally wrong. And also the write-flags are
superfluous and at least theoretically a little bit dangerous. I assume the
mirroring ("rsync") will even work without a write-flag for the owner.

But as Kevin A. McGrail has written in the sysadmins mailing list it seems not
a big problem but only a flaw "because rules are crypto signed".

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7508] Suboptimal permissions of mirrored rulesets files (on sa-update mirrors)

Posted by bu...@bugzilla.spamassassin.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7508

Dave Jones <da...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |davej@apache.org
             Status|NEW                         |ASSIGNED
           Assignee|sysadmins@spamassassin.apac |davej@apache.org
                   |he.org                      |

--- Comment #1 from Dave Jones <da...@apache.org> ---
You are correct.  The perms are not optimal.  However, web servers shouldn't be
executing any of these file types as they are not scripts or executable files.

I will look at the scripts that generate the rulesets and set perms to 444. 
Rsyncs should be running as root on the mirrors so this should not impact
rsync'ing.

-- 
You are receiving this mail because:
You are the assignee for the bug.