[opensuse] How is there constantly always something to be set with file permissions no matter how new or clean Suse is?
For years I am wondering about all the logmessages e.g. during package updates. On a clean Opensuse 13.2 64bit machine, which has never had anything before, in fact clean hard disks, the todays or recent cron update shows the following: Additional rpm output: setting /usr/bin/crontab to root:trusted 4755. (wrong permissions 4750) Updating /etc/sysconfig/cron... How is this linux or related unix world actually considered to be stable or paradigms and somet truth cast in stone, if seemingly every day essentials and utmost basic stuff changes. Have the package maintainers made errors in the past, or some unix gods now discovered that those file permissions ought to be 4755 instead of 4750? Has some rocket science of unix land discovered something new that these file permissions had to change? I try to understand these things but something is really beyond my level. Either unix land is still at its very infancy and imature or on the other hand package maintainers or developers are very careless to set wrong filepermissions (and many other things) all the time, that consecutive newly released and applied patches then fix. Seriously. Please explain. I would like to understand the minds and the workings of unix and linux. Maybe windows land isnt that messed up and braindamaged and evil after all. Maybe quality is pretty close to each other and same same but different. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/06/2015 12:50 PM, cagsm wrote:
Seriously. Please explain. I would like to understand the minds and the workings of unix and linux.
It seems perfectly reasonable to me, but it doesn't to you because you've looked at this in isolation. Here is one hypothesis. It is a hypothesis because it is reasonable but it is only a hypothesis because you have not supplied enough contextual information about what you did to being this about or how your system is configured. Linux has a number of security levels and configurations. You can personalise these in detail of you want, but they are there are there as part of the package. You can see, for example /etc/polkit-default-privs.local /etc/polkit-default-privs.restrictive /etc/polkit-default-privs.standard and more under /etc/security/ In particular, there are a set of files which determine the permission settings for a whole bunch of files. /etc/permissions /etc/permissions.easy /etc/permissions.secure /etc/permissions.paranoid /etc/permissions.local In addition there should be a directory /etc/permissions.d with permissions settings for each of a number of specific applications. These files determine the settings according to the level of 'paranoia' or lack of it you decide to have for YOUR system. This will *always* override the settings of any package that is installed. All this is well documented. Please RTFM: "settings" in section 5 of the manual. How would you find this? The 'apropos' command is very, very good at giving pointers on just about all mattes. You may need a few attempts with different keywords but this one should be easy. Here, the page says <quote> The chkstat program sets permissions and ownerships according to the permission files. </quote> So next up look at the man page for "chkstat" The key here is <quote> In system mode /etc/permissions/security determines which level to use and whether to actually apply permission changes. </quote> Actually this is now /etc/sysconfig/security. Under current Linux check sysconfig first :-0 So its possible that the installation triggered a check of *your specific* configuration and adjusted the permissions accordingly. The packager does not know how any particular user is going to configure his or her system. It is also possible that cron or similar runs "chkstat --system" regularly. That's another hypothesis, but since this seems to have occurred when you installed the package, I'd go for the first hypothesis. Linux is nowhere near as draconian as Windows. Linux assumes its users are smart and are going to invest some time making Linux do what they want, and by that I don't mean the kind of "eye candy" that a GUI permits. The issue with those levels of configuration and policy is "how paranoid do you want to be?" Linux is not in its infancy, it is quite mature and very sophisticated. I realise that this sophistication may often bee baffling and confusing to someone from Windowsland or even OSX-land where the attitudes are much more paternalistic. Under the hood, Linux is not really a desktop system :-/ The X display server can run anywhere, it doesn't need the OS; this is quite the opposite to the way of Windows where the display is a key part of the OS. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward <opensuse@antonaylward.com> schreef:
The issue with those levels of configuration and policy is "how paranoid do you want to be?" Linux is not in its infancy, it is quite mature and very sophisticated. I realise that this sophistication may often bee baffling and confusing to someone from Windowsland or even OSX-land where the attitudes are much more paternalistic. Under the hood, Linux is not really a desktop system :-/ The X display server can run anywhere, it doesn't need the OS; this is quite the opposite to the way of Windows where the display is a key part of the OS.
Actually Linux is a VERY primitive system, much the same way that the rest of the world is extremely primitive while thinking to be highly advanced. Oh, hey Anton :P. :D :D :D. LOL! Kudos. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
cagsm <cumandgets0mem00f@gmail.com> schreef:
How is this linux or related unix world actually considered to be stable or paradigms and somet truth cast in stone, if seemingly every day essentials and utmost basic stuff changes.
Nobody really thought really well about it. If you do a scan, you will find for instances that the "root" user owns like 99% of all files that are not user-owned (that are not part of a user's home directory). So you get a security model in which root is almost like the only ubiqitous presence. That means you need root to do basically anything that is not confined to a single user, which means you have to use it all the time, which means its value as a security mechanism diminishes greatly (just as it is on Windows by the way, but still, more so). For fun, try this script: cat /etc/passwd | cut -d: -f1 | while read f; do printf "%-15s %6d\n" $f `find / -type f -user $f -xdev | wc -l`; done And you'll see how much the "other" users are used. Also, it means or seems to be meaning, or at least the result of the system is that although there are "groups" they are hardly every used by default. As such, for most files the group-write permissions are always turned off and I think you will find easily that for 99% of files in the base system the group read flag is either the same as the owner read flag, or removed (rarely). Most files are either 755/644 or 700/600 (if security is warranted) so you will see that in effect, the whole group feature is not even USED in the base Linux system. The problem of course is that if you want to do anything in such a system that requires editing files, and those files belong to prepackaged programs, you now have to be root to edit it, even if it is just a user stylesheet for a wiki program. So the base security model is really quite rotten, there is no differentiation or sense of layers or layerism that might make it possible to use intermediate or "less powerful" users to do more common tasks, the whole directory structure that was really designated for such things (/usr/local) is never even commonly used (except when you want to compile something yourself) and so the whole "local" thing to a linux system is pretty much nonexistent unless you put it in yourself, which of course requires a lot of development and time and means you are basically constructing a new security model yourself. So basically, yes, it is very primitive and for it to become something really useful or even slightly "adequate" from a common user point of view, it needs a lot of development time still ;-). Heh, Anton ? :P ;P. It is definitely not adequate for me, but I have much higher goals, or at least I used to have them. So I will say the little fiddling between 4755 and 4750 (I don't even know what the 4 means) is really quite meaningless, it meant that previously it was not "world" readable and now it is. That's also just personal choice, if there is nothing to hide in that crontab file (which probably there isn't, but it depends (it depends it depends, of course it depends). ) you might perhaps just as well show it to everyone and his sick jealous monkey squad. :D. Regards... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/06/2015 04:34 PM, Xen wrote:
So basically, yes, it is very primitive and for it to become something really useful or even slightly "adequate" from a common user point of view, it needs a lot of development time still ;-). Heh, Anton ? :P ;P.
You are being unhelpful and destructive. That things are not to your liking is no reason to spoil them for others. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward <opensuse@antonaylward.com> schreef:
On 10/06/2015 04:34 PM, Xen wrote:
So basically, yes, it is very primitive and for it to become something really useful or even slightly "adequate" from a common user point of view, it needs a lot of development time still ;-). Heh, Anton ? :P ;P.
You are being unhelpful and destructive. That things are not to your liking is no reason to spoil them for others.
How am I supposed to be in the power to spoil it for anyone? People make their own decisions and I am certainly not in the position to change anything about the base linux system, least of all... well and IF I would be in that position, I would probably be changing it for the better. No one is going to listen to me anyway unless they agree with me, and if they agree with me then they would have noticed some of this themselves. Actually it is quite a compliment to attribute to me these powers. But it seems to be quite commonsensical that you cannot spoil something that is already bad; instead pointing to the badness can also not make the badness worse. And knowing about the badness also doesn't make the system less usable than it was before these things were pointed out.... In fact turning to some bad aspect and pointing it out is the first step in improving it, and because most linux adherents refuse to do so, the system never improves. Because if you can't even LOOK AT IT and OWN it, how then can you ever IMPROVE it? If you keep staying in denial about how bad it is, it will never get better. Actually, this is most of the condition of the rest of the world. People are so in denial about how rotten the system is, that it never improves. People think they are highly advanced when they are just primitive children of god trying to get better. But because (these words are not mine) they are so ego-invested in being what they are not (highly advanced) they are not being what they are (advancing). And so they keep stuck in a refusal to look at what theye are and where they are, and hence never see where they need to go. Because they think they are already in some mode of perfection (think of e.g. the justice system and all its ludicrous and meaningless laws) they never consider that the system actually could use a bit of improvement, to say it in a very mild manner. Am I spoiling it for everyone? No the system itself routinely and destructively spoils it for everyone, constantly. That doesn't change (at least not for the worse) by me mentioning it, in fact; it is the only way it can ever get better, or at least to be more congruent with what we really are as human beings. And the same is true for Linux. Most of the Linux world tries to shut up people who try to say a few things about what doesn't work or doesn't really ....agree with what the linux people SAY it is. What Linux people say about it and what it really is is usually something quite different. I recently pointed some people to images of KDE developers. Photos, pictures. Of them going to a conference. I said, can you see these people and how depleted they are? And the guy, just some regular guy not involved with computers, immediately agreed that although they looked slightly happy, they also looked quite tired and depleted. And not just from that conference. And these same (kind of) people keep claiming how wonderful and perfect their systems and their software is. You can see it all around, a personal propaganda. I once stayed away from all TV and radio for a few months. When I got back into the world I was flabbergasted and stunned by the amount of national propaganda on national radio. This is just a western European country. And people are constantly telling each other how amazing they are (when really they're not). People from more eastern European countries who live here can tell you how that feels. That these nationals here feel they are so great. And Dutch people (this is about the Netherlands) do no realize how arrogant they are. About who they are and how great they are as a nation. It is a complete and utter arrogance and self-inflation that is based on nothing really. And other people notice. And if you come to Linux from "abroad", you too notice. I cannot make the system worse by saying these things. I can only make it better, because once you see it you can change it, if that is your wish by then. Somehow I also think you Anton have seen just a little bit of this right now. Or else you wouldn't have said these things to me. Because there is a chagrine involved with being shown the truth, and I have lost a few friends that way :-/ :(. I have had some friends who thought they were amazing (while judging me and treating me like dirt) and once I showed them that was not true, they left me. People rarely take well to being shown that after all, their image of themselves was slightly skewed. Maybe I'm just an idiot for doing it that way, but there you have it. Regards, D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Oct 06, 2015 at 06:50:57PM +0200, cagsm wrote:
For years I am wondering about all the logmessages e.g. during package updates. On a clean Opensuse 13.2 64bit machine, which has never had anything before, in fact clean hard disks, the todays or recent cron update shows the following:
Additional rpm output: setting /usr/bin/crontab to root:trusted 4755. (wrong permissions 4750) Updating /etc/sysconfig/cron...
How is this linux or related unix world actually considered to be stable or paradigms and somet truth cast in stone, if seemingly every day essentials and utmost basic stuff changes.
Have the package maintainers made errors in the past, or some unix gods now discovered that those file permissions ought to be 4755 instead of 4750? Has some rocket science of unix land discovered something new that these file permissions had to change?
I try to understand these things but something is really beyond my level. Either unix land is still at its very infancy and imature or on the other hand package maintainers or developers are very careless to set wrong filepermissions (and many other things) all the time, that consecutive newly released and applied patches then fix.
Seriously. Please explain. I would like to understand the minds and the workings of unix and linux. Maybe windows land isnt that messed up and braindamaged and evil after all. Maybe quality is pretty close to each other and same same but different. Thanks.
The rpms are packaged in "secure" mode by default, which means less permissions/setuid bits. All our installed system are running in "easy" mode by default, which is more permissive. So installing packages will hand out a bit permissions to binaries occasionaly, leading to above message. Please just consider it a warning. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
cagsm -
Marcus Meissner -
Xen