Tumbleweed /etc/permissions*

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Tumbleweed /etc/permissions*

Michael Hirmke
Hi *,

I have a few question regarding the files /etc/permissions* and chkstat
on a Tumbleweed system:

According to the man pages and docs, chkstat is called whenever a
configuration change was made. And chkstat should look into
/etc/sysconfig/security to find the permissions.<type> file(s) to use.

I have configured

PERMISSION_SECURITY="easy local"
PERMISSION_FSCAPS="yes"

in my /etc/sysconfig/security file so chstat should use

/etc/permissions.easy and
/etc/permissions.local

and it should honour capability settings in these files.

In /etc/permissions.local I have

/usr/bin/gnome-keyring-daemon  root:root       0755
 +capabilities cap_ipc_lock=+ep

But everytime an update for the gnome-keyring package gets installed,
the keyring daemon misses the configured capabilities.

So obviously chkstat isn't called in this case.

What configurations changes are meant by the docs then?
Shouldn't zypper also call chkstat after installation of all new
packages?
Or do I misunderstand the intention of the permissions package including
chkstat?

Thx and bye.
Michael.
--
Michael Hirmke
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tumbleweed /etc/permissions*

Marcus Meissner
On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:

> Hi *,
>
> I have a few question regarding the files /etc/permissions* and chkstat
> on a Tumbleweed system:
>
> According to the man pages and docs, chkstat is called whenever a
> configuration change was made. And chkstat should look into
> /etc/sysconfig/security to find the permissions.<type> file(s) to use.
>
> I have configured
>
> PERMISSION_SECURITY="easy local"
> PERMISSION_FSCAPS="yes"
>
> in my /etc/sysconfig/security file so chstat should use
>
> /etc/permissions.easy and
> /etc/permissions.local
>
> and it should honour capability settings in these files.
>
> In /etc/permissions.local I have
>
> /usr/bin/gnome-keyring-daemon  root:root       0755
>  +capabilities cap_ipc_lock=+ep
>
> But everytime an update for the gnome-keyring package gets installed,
> the keyring daemon misses the configured capabilities.
>
> So obviously chkstat isn't called in this case.
>
> What configurations changes are meant by the docs then?
> Shouldn't zypper also call chkstat after installation of all new
> packages?
> Or do I misunderstand the intention of the permissions package including
> chkstat?

There needs to be special %post and %verify scripts in the packages that
need hooks in the permissions framework to refresh the permissions if
the /usr/bin/gnome-keyring-daemon should behave like this.

chkstat is not explicitly run excepting from %post and %verify scripts these
days.

gnome-keyring-daemon is not set up for it at this time, so either it gets
added there or you have to run chkstat --system after every update of gnome-keyring-daemon.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tumbleweed /etc/permissions*

Carlos E. R.-2
On 2017-07-13 22:41, Marcus Meissner wrote:
> On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:

>>
>> So obviously chkstat isn't called in this case.
>>
>> What configurations changes are meant by the docs then?
>> Shouldn't zypper also call chkstat after installation of all new
>> packages?
>> Or do I misunderstand the intention of the permissions package including
>> chkstat?
>
> There needs to be special %post and %verify scripts in the packages that
> need hooks in the permissions framework to refresh the permissions if
> the /usr/bin/gnome-keyring-daemon should behave like this.
>
> chkstat is not explicitly run excepting from %post and %verify scripts these
> days.
Would be a good or a bad idea to have it in cron? Just thought of it,
and I don't know.

--
Cheers / Saludos,

                Carlos E. R.
                (from 42.2 x86_64 "Malachite" at Telcontar)


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tumbleweed /etc/permissions*

Michael Hirmke
In reply to this post by Marcus Meissner
Hi Marcus,

thx for your answer, but ...

>On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
>> Hi *,
>>
>> I have a few question regarding the files /etc/permissions* and chkstat
>> on a Tumbleweed system:
>>
>> According to the man pages and docs, chkstat is called whenever a
>> configuration change was made. And chkstat should look into
>> /etc/sysconfig/security to find the permissions.<type> file(s) to use.
[...]
>> What configurations changes are meant by the docs then?
>> Shouldn't zypper also call chkstat after installation of all new
>> packages?
>> Or do I misunderstand the intention of the permissions package including
>> chkstat?

>There needs to be special %post and %verify scripts in the packages that
>need hooks in the permissions framework to refresh the permissions if
>the /usr/bin/gnome-keyring-daemon should behave like this.

... then every package maintainer has to add it to his packages.
And whats more, the maintainer doesn't even know, that an adaministrator
of a certain system wants to add capabilities or special permissions to
one of the package files. On the other hand an administrator may forget
that in an update of a few hundred packages is one that needs a rerun of
chkstat.
So IMHO it would be great to have it run automatically - for example
when zypper [up|dup|patch] finishes.
It could be controlled by a parameter in zypp.conf.

>chkstat is not explicitly run excepting from %post and %verify scripts these
>days.

>gnome-keyring-daemon is not set up for it at this time, so either it gets
>added there or you have to run chkstat --system after every update of
>gnome-keyring-daemon.

>Ciao, Marcus

Bye.
Michael.
--
Michael Hirmke
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tumbleweed /etc/permissions*

Carlos E. R.-2
On 2017-07-14 11:51, Michael Hirmke wrote:

> Hi Marcus,
>
> thx for your answer, but ...
>
>> On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
>>> Hi *,
>>>
>>> I have a few question regarding the files /etc/permissions* and chkstat
>>> on a Tumbleweed system:
>>>
>>> According to the man pages and docs, chkstat is called whenever a
>>> configuration change was made. And chkstat should look into
>>> /etc/sysconfig/security to find the permissions.<type> file(s) to use.
> [...]
>>> What configurations changes are meant by the docs then?
>>> Shouldn't zypper also call chkstat after installation of all new
>>> packages?
>>> Or do I misunderstand the intention of the permissions package including
>>> chkstat?
>
>> There needs to be special %post and %verify scripts in the packages that
>> need hooks in the permissions framework to refresh the permissions if
>> the /usr/bin/gnome-keyring-daemon should behave like this.
>
> ... then every package maintainer has to add it to his packages.
> And whats more, the maintainer doesn't even know, that an adaministrator
> of a certain system wants to add capabilities or special permissions to
> one of the package files. On the other hand an administrator may forget
> that in an update of a few hundred packages is one that needs a rerun of
> chkstat.
> So IMHO it would be great to have it run automatically - for example
> when zypper [up|dup|patch] finishes.
> It could be controlled by a parameter in zypp.conf.
That's how it was run some years ago. In the past YaST or zypper ran
"SuSEconfig" at the end of each modification run, and that script took
care of everything.

--
Cheers / Saludos,

                Carlos E. R.
                (from 42.2 x86_64 "Malachite" at Telcontar)


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tumbleweed /etc/permissions*

Michael Hirmke
Hi Carlos,

[...]

>>> There needs to be special %post and %verify scripts in the packages that
>>> need hooks in the permissions framework to refresh the permissions if
>>> the /usr/bin/gnome-keyring-daemon should behave like this.
>>
>> ... then every package maintainer has to add it to his packages.
>> And whats more, the maintainer doesn't even know, that an adaministrator
>> of a certain system wants to add capabilities or special permissions to
>> one of the package files. On the other hand an administrator may forget
>> that in an update of a few hundred packages is one that needs a rerun of
>> chkstat.
>> So IMHO it would be great to have it run automatically - for example
>> when zypper [up|dup|patch] finishes.
>> It could be controlled by a parameter in zypp.conf.

>That's how it was run some years ago. In the past YaST or zypper ran
>"SuSEconfig" at the end of each modification run, and that script took
>care of everything.

yeah, I remember the good old times ;)
Not sure, though, if zypper already existed at that time, but yes, Yast
called SuSEconfig.

Wonder, why it was left out at some point.

>--
>Cheers / Saludos,

> Carlos E. R.

Bye.
Michael.
--
Michael Hirmke
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Loading...