Please standardize /var/lock/lockdev/ in the FHS
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lsb |
In Progress
|
Medium
|
Unassigned | ||
| Mandriva |
In Progress
|
Medium
|
|||
Bug Description
Most distributions currently set up /var/lock in different ways, and almost all
in an insecure way.
I'd like to suggest that FHS standardizes a secure setup, which is the one
Fedora appears to use in F14:
/var/lock should be root:root 755. System services may add subdirectories
beneath that dir, and only privileged processes have write access.
/var/lock/lockdev should be root:lock 775. Normal users may create LCK.. style
lock files here, and may delete them, including stale lock files from other
users.
The only place for LCK..xxx files would be /var/lock/lockdev, and not FHS.
Why this all? Well, it's the only secure way.
The reasons are explained here:
https:/
https:/
Basically, it is essential that:
- we do not create another world-writable directory where everybody can write
to
- we do not use the sticky bit, since that would disallow removal of stale lock
files owned by other users
- per-subsystem privileged lock files and directories are seperate from
LCK..xxx files, so that unprivileged users cannot remove/replace privileged
files and directories and trick privileged software to do things it shouldn't
do.
The name /var/lock/lockdev is what fedora currently uses. Other names are
thinkable too, but it's probably best to just adopt what exists already, since
the name is not totally unacceptable.
| Changed in mandriva: | |
| importance: | Unknown → Medium |
| status: | Unknown → In Progress |
