Comments on: Restorecon Equivalent for Unix Permissions http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/ Linux, politics, and other interesting things Wed, 10 Mar 2010 11:35:42 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Jeff Schroeder http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/comment-page-1/#comment-10564 Jeff Schroeder Wed, 14 Nov 2007 05:45:19 +0000 http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/#comment-10564 Russell, here is a finished version for you: http://www.digitalprognosis.com/opensource/scripts/restoreperms I thought about setting this up to work with normal (read non-rpm managed) files and decided against it. Just create a quick hacky spec of everything in /usr/local/bin/* and then you can use this. If not, maybe it will help you out someday? Thanks for the idea though, it was all yours. It now shows which files have changed and the permissions they are currently vs the ones they should be. If you have an rpm distro installed, check it out. Russell, here is a finished version for you:
http://www.digitalprognosis.com/opensource/scripts/restoreperms

I thought about setting this up to work with normal (read non-rpm managed) files and decided against it. Just create a quick hacky spec of everything in /usr/local/bin/* and then you can use this. If not, maybe it will help you out someday? Thanks for the idea though, it was all yours.

It now shows which files have changed and the permissions they are currently vs the ones they should be. If you have an rpm distro installed, check it out.

]]> By: etbe http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/comment-page-1/#comment-10526 etbe Tue, 13 Nov 2007 21:56:36 +0000 http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/#comment-10526 Vaclav: It sounds like BSD is doing some good things in this regard, so all we need to do is to update dpkg to allow the same. Name: An IDS is not a tool for recovering from sys-admin mistakes, and Tripwire etc are not integrated with the packaging system (the primary authoritative source of data about such things). http://blog.steve.org.uk/articles/2007/11/13/i-love-this-hive-employee Gurkan: your comment is similar to Steve Kemp's suggestion in his blog. Still not part of the system. Vaclav: It sounds like BSD is doing some good things in this regard, so all we need to do is to update dpkg to allow the same.

Name: An IDS is not a tool for recovering from sys-admin mistakes, and Tripwire etc are not integrated with the packaging system (the primary authoritative source of data about such things).

http://blog.steve.org.uk/articles/2007/11/13/i-love-this-hive-employee

Gurkan: your comment is similar to Steve Kemp’s suggestion in his blog. Still not part of the system.

]]> By: Gurkan http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/comment-page-1/#comment-10524 Gurkan Tue, 13 Nov 2007 20:13:46 +0000 http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/#comment-10524 file permissions? like this? http://www.linuks.mine.nu/perms/perms file permissions? like this?
http://www.linuks.mine.nu/perms/perms

]]> By: Name (required) http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/comment-page-1/#comment-10512 Name (required) Tue, 13 Nov 2007 13:55:55 +0000 http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/#comment-10512 Isnt this what ids like aide, tripwire, samhain, etc, etc are for? Isnt this what ids like aide, tripwire, samhain, etc, etc are for?

]]> By: Vaclav Ovsik http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/comment-page-1/#comment-10511 Vaclav Ovsik Tue, 13 Nov 2007 11:48:14 +0000 http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/#comment-10511 etbe: I think you are not right. BSD systems have binary packages. For example: ftp://ftp.cz.freebsd.org/pub/FreeBSD/ports/i386/ If you look inside some package, you will see some topmost files and +MTREE_DIRS in between. Mtree is build into *BSD packaging system I think. And maybe Debian can add something similar aside debsums for this into dpkg. Something like mtree file can be generated in package building phase I think. etbe: I think you are not right. BSD systems have binary packages. For example: ftp://ftp.cz.freebsd.org/pub/FreeBSD/ports/i386/
If you look inside some package, you will see some topmost files and +MTREE_DIRS in between. Mtree is build into *BSD packaging system I think. And maybe Debian can add something similar aside debsums for this into dpkg. Something like mtree file can be generated in package building phase I think.

]]> By: etbe http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/comment-page-1/#comment-10509 etbe Tue, 13 Nov 2007 10:13:56 +0000 http://etbe.coker.com.au/2007/11/13/restorecon-equivalent-for-unix-permissions/#comment-10509 Andrew: I've updated the post, debsums doesn't address this problem at all. In a quick test running chmod on a file was not detected by it. Jeff: Great work! Now all we need is to have it consult another data source for files that aren't owned by RPM packages and we'll have a Unix permissions equivalent to restorecon. Vaclav: That seems to be more like Tripwire than what I'm interested in. It starts with copying the permissions from an installed system rather than using installation binaries to get the permissions - which makes sense as BSD doesn't have binary packages. Andrew: I’ve updated the post, debsums doesn’t address this problem at all. In a quick test running chmod on a file was not detected by it.

Jeff: Great work! Now all we need is to have it consult another data source for files that aren’t owned by RPM packages and we’ll have a Unix permissions equivalent to restorecon.

Vaclav: That seems to be more like Tripwire than what I’m interested in. It starts with copying the permissions from an installed system rather than using installation binaries to get the permissions – which makes sense as BSD doesn’t have binary packages.

]]>