/usr/local/tce.* ownership and perms

[jpeters]

I will adjust the audit script to not exit but just echo an error message so it will display all extension issues in one run.  That would help for things like this.

EDIT: script fixed.

For new installs, of course,  the user relies on the repos being correct.  MPlayer-svn-gtk2.tcz is set for
tc:staff, and changes the permissions for /tce.installed.  Looks like the only way to fix the vulnerability is an automatic screening of all submitted extensions (since not everyone will audit).  

You might list required deps to run audit.  Nice script!     (why not include the fix in the script? )


edit: Here's a few more:

xpdf-3.02pl2.tcz
xmms-1.2.11.tczl
gnumeric.tcz
geany.tcz

[Jason W]

I did update the script shortly after I fixed it.

I used a different script to check the repo that only looked at tce.installed.  So the extensions you mention are due to tce.menu and tce.icon perms different than ideal.  Those are not as critical as ones with tce.installed being of different perms.  I did adjust the perms of those directories of the ones whose tce.installed I fixed though.  But since the script will echo an error on those thjat have tce.menu and tce.icons perms different, I will adjust them too so it will all look good according to the audit script.

Mplayer svn gtk2 only has a tce.menu entry, not tce.installed.  But nevertheless I will fix it in time.

[jpeters]

I did update the script shortly after I fixed it.

I used a different script to check the repo that only looked at tce.installed.  So the extensions you mention are due to tce.menu and tce.icon perms different than ideal.  Those are not as critical as ones with tce.installed being of different perms.  I did adjust the perms of those directories of the ones whose tce.installed I fixed though.  But since the script will echo an error on those thjat have tce.menu and tce.icons perms different, I will adjust them too so it will all look good according to the audit script.

Mplayer svn gtk2 only has a tce.menu entry, not tce.installed.  But nevertheless I will fix it in time.

It changes perms for tce.installed, which is only important if you had some reason for it being root:staff.
As long as it installs  (actkbd wasn't).  All these changes must keep you real busy!  

The "fix" I was referring to was the perm changes that affect /tce.installed 

Code: [Select]

tc@box:~$ ls -ld /usr/local/tce.installed
drwxrwxr-x 2 tc staff 2120 Oct 18 14:53 /usr/local/tce.installed/


[Jason W]

Tce-setup changes it to "USER":staff, Mplayer couldn't if it didn't have a tce.installed directory in the extension.  "USER" being normally tc, unless another user is specified.

The extension should be root:staff/775 for tce.installed as if tce.installed gets its attributes overwritten by the extension, "USER" may be a different user than tc.  And if the perms are tc:staff/755 or root:staff/755, another user cannot write to tce.installed.  Tce-setup changing the owner to "USER":staff is ok and normal.

[jpeters]

That might be it, as I'm running groups with "base" option.