eli-schwartz
commented
4 years ago I can extend this to all users, if desired. See the linked issue for details.
Closed eli-schwartz closed 4 years ago
eli-schwartz
commented
4 years ago I can extend this to all users, if desired. See the linked issue for details.
eli-schwartz
commented
4 years ago you also want to change line 200?
Hmm, why doesn't this use BINMODE?
yo8192
commented
4 years ago Because BINMODE and BINMODESIGHUP are only used for the perms that change depending on whether you run fcron as a system service or as yourself. (with hindsight, using more specific names for these two would have been clearer)
eli-schwartz
commented
4 years ago Both review comments should be resolved now.
Principle of least privilege suggests that for security-relevant programs, no permissions other than those strictly necessary should be applied. Hence the historic permissions for fcron were "executable, and that's it". However, this causes problems for some legitimate use cases, such as analysis of soname dependencies via readelf, use of strip, etc.
Slightly relax the install permissions to grant the owner, at least, rw permissions. The owner can already trivially obtain these permissions at will using chown, this merely saves them the bother.
Fixes #2