WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: /usr/local/tce.* ownership and perms  (Read 45914 times)

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #15 on: October 17, 2009, 01:08:51 PM »
All existing extensions that have a tce.installed directory have had their permissions set to root:staff/775 for those that did not have that perm already.  I checked for tce.installed, but those that were fixed had their tce.menu and tce.icons directory set though they are not as critical.


Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #16 on: October 17, 2009, 06:19:52 PM »
All existing extensions that have a tce.installed directory have had their permissions set to root:staff/775 for those that did not have that perm already.  I checked for tce.installed, but those that were fixed had their tce.menu and tce.icons directory set though they are not as critical.

Just noticed the permission change for /tce.installed.; used to need tc:staff, I think.  

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #17 on: October 17, 2009, 06:41:14 PM »
Yeah, tc:staff was widely used and in and of itself would not cause a problem though root:staff is what has been settled on.  Group staff and 775 perms are the critical details.

Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #18 on: October 17, 2009, 10:14:45 PM »
Looks like the issue of extensions changing tce.installed to root:root has been resolved ??

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #19 on: October 18, 2009, 03:05:54 AM »
Yes, with the above permissions set on all existing extensions' tce.installed directory there should be no more permissions issue with any version of TC 2.x.  If extensions in anyone's existing tce directory are causing issue, redownload and all should be well.  There should be no extensions now that will cause a root:root tce.installed, but of course if there are any they can be mentioned here.  But I think I got them all, 102 were fixed.


Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #20 on: October 18, 2009, 07:10:18 AM »
Yes, with the above permissions set on all existing extensions' tce.installed directory there should be no more permissions issue with any version of TC 2.x.  If extensions in anyone's existing tce directory are causing issue, redownload and all should be well.  There should be no extensions now that will cause a root:root tce.installed, but of course if there are any they can be mentioned here.  But I think I got them all, 102 were fixed.


Looks like the vulnerability was fixed as well. I created xonclock-test while in root, and loaded -i -r (I think that changed /tce.installed to root:root previously). Despite the error message, permissions remain, xonclock is in /tce.installed,  and xonclock works.

Code: [Select]

tc@box:~$ ls -ld /usr/local/tce.installed/
drwxr-xr-x    2 root     staff         960 Oct 18 07:00 /usr/local/tce.installed//
tc@box:~$ tce-load -i -r /tmp/xonclock-test.tcz 
xonclock-test.tcz
touch: /usr/local/tce.installed/xonclock-test: Permission denied
tc@box:~$ ls -ld /usr/local/tce.installed/
drwxr-xr-x    2 root     staff         980 Oct 18 07:01 /usr/local/tce.installed//
tc@box:~$ find /usr/local/tce.installed/xonclock
/usr/local/tce.installed/xonclock
tc@box:~$


Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #21 on: October 18, 2009, 10:37:13 AM »
Something's still weird. Sometimes command line installs aren't getting into /tce.installed, other times they are.  This example shows the files installed, the extension loaded to my tce dir, but no listing in
/tce.installed.  I tried the same with xonclock, and it was fine. Last time I tried with actkbd, it wasn't in my tce directory either, although the files were present.  
 
Code: [Select]
tc@box:~$ tce-load -i -w actkbd.tcz
actkbd.tcz: OK
touch: /usr/local/tce.installed/actkbd: Permission denied
tc@box:~$ find /usr/local/tce.installed/actkbd
find: /usr/local/tce.installed/actkbd: No such file or directory
tc@box:~$ find /usr/local/sbin/actkbd
/usr/local/sbin/actkbd
tc@box:~$ find /mnt/hda1/tcZ2/actkbd.tcz
/mnt/hda1/tcZ2/actkbd.tcz

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #22 on: October 18, 2009, 10:46:35 AM »
jpeters - is that using either an empty tce directory or a fresh boot with "base norestore"?

Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #23 on: October 18, 2009, 10:57:12 AM »
jpeters - is that using either an empty tce directory or a fresh boot with "base norestore"?

neither

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #24 on: October 18, 2009, 11:04:53 AM »
Ok, that means that there are some extensions in your tce directory that have not been fixed. 

Running the extension audit script on your tce directory will tell you which are the offending extensions

Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #25 on: October 18, 2009, 11:18:57 AM »
Ok, that means that there are some extensions in your tce directory that have not been fixed.  

Running the extension audit script on your tce directory will tell you which are the offending extensions

That will affect a new install ??  
« Last Edit: October 18, 2009, 11:21:31 AM by jpeters »

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #26 on: October 18, 2009, 11:34:55 AM »
The script will simply point out any extensions with bad perms on tce.installed. 

Are the extensions in your tce directory installed in the last 12 hours or so? 

Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #27 on: October 18, 2009, 11:49:00 AM »
The script will simply point out any extensions with bad perms on tce.installed.  

Are the extensions in your tce directory installed in the last 12 hours or so?  

Check the example posted.

Note: I'll try the audit script again with a full base boot ....it doesn't work with the group presently loaded.  
« Last Edit: October 18, 2009, 12:09:27 PM by jpeters »

Offline jpeters

  • Restricted
  • Hero Member
  • *****
  • Posts: 1017
Re: /usr/local/tce.* ownership and perms
« Reply #28 on: October 18, 2009, 12:23:15 PM »
Okay, it's installing now. Script works fine with full base.   

Offline Jason W

  • Administrator
  • Hero Member
  • *****
  • Posts: 9730
Re: /usr/local/tce.* ownership and perms
« Reply #29 on: October 18, 2009, 12:31:32 PM »
I will adjust the audit script to not exit but just echo an error message so it will display all extension issues in one run.  That would help for things like this.

EDIT: script fixed.
« Last Edit: October 18, 2009, 12:55:37 PM by Jason W »