[Zope-dev] startup security status (say that five times fast... well, ok, it wasn't so tough after all)
Behrens Matt - Grand Rapids
Matt.Behrens@kohler.com
Wed, 24 Oct 2001 15:39:36 -0400
This is a multi-part message in MIME format.
--------------060805040604080602050005
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I opted for #2, since it requires no changes to existing start/stop scripts.
> 2. Enforce the sticky bit on the var directory. From Solaris' chmod(2)
> manpage:
>
> If a directory is writable and has S_ISVTX (the sticky bit)
> set, files within that directory can be removed or renamed
> only if one or more of the following is true (see unlink(2)
> and rename(2)):
>
> o the user owns the file
>
> o the user owns the directory
>
> o the file is writable by the user
>
> o the user is a privileged user
>
> (Privileged user means 'root'.) We only need to enforce the sticky bit
> if we start as root and are doing the requisite setuid(). My patch
> already has a test for this.
Patch is attached, against the current release. (diff -c, God bless
Solaris... heh)
--
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture
--------------060805040604080602050005
Content-Type: application/octet-stream;
name="z2_py.diff.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="z2_py.diff.gz"
H4sICKvx1jsAA3oyX3B5LmRpZmYAxVhtk9o2EP7c/IotmdSQGI/h3pnhQ6d3aWkvkLlLJk3azI3O
FqAeWB5JhpBf313JBmMMIV9aDQeHtFqtnn178MuXL+FrN0hXgVRi8sMbmcDvWQKdSwiveqdXvbAD
3TDsPGu3207uhw88hlFkoHsKnW7v9LJ3duVEXm4P+g4n3a5/0r0COwFwPbx/GLztex7+j6/n8F5z
BSIGI0HhsZ/uuVrgDNMBDKXhYKbM4JvQIJPZCpZSPWnIkhhl3ifiiw8siUGMn/2IuorNKKwNUwbt
fFyBktIEuP5+cN33Evko49X69Fs5gbGYcZjJiBkhkwAGY3ccvhgoPsPpBYeUmamPCzwBYWjtHykS
1I8zVhF+grdgyoNYKB4ZqVaBhcze/yQE/L/9P94f3pGKROJFkwmKxHzMspnRdG4BCmiRRNxqsqdG
LIEZZ9Y2Bp9kyh1WkZynSs6F5gWsQ5nw/wbSuhA7Oz3zz85CF2KE+dnpOU6cF5jTyD++xozP0SSE
uqlXOmBqsvBB6oCMCciA5i+3g5vhu4ffRm9ufPiUirjVoqu9IsjgYclU8uDwarZ6OGu13o5+DfCv
2fjabfju64ef74aD4a8+eHdZkohk4gBk2t7r/XDwJzg1kFEEePAqV7YeHuG/wRpWMlNOieYmSwOA
gYUNsZHzOceQiJ3f6nThZjoI8UcxgY5BYXvwWCrnnDRTqUSXei3cjDc2atXLUXsOg3kqlUGXTiZ0
FZ2l9D1fFm6Rrl3rn4vOlX9xdlmUgLoxldokbM77LI4V19rfI0cH9enN+qSdW/dOrShGERbIXCo1
2lkD2ojcQhAsOBvUSU+ctBMnODzEQYk5Q5GJkgTyZhuBtBSz2SYRMe8cdjpSInXOwBxe1xy31QLZ
Xl8hRytdxqXJikwxRZ+YX9DHfFYIfMCMFE2caVWE+ZeIp6aHOaV1ZYnu2AebodsLZPwq5VYd9Pvu
S6PRqhpCI7NK0OZgwk26RFfZbX91P9cIT/YIn1SF+azWhs4xJuDX401YC9eYoHndaYpRyv3BVzdK
YYbU+KZmE96GDraF1ljI66QOKCgGFiQMT9TVxL+qr9emW5/D6N6aeEhdTVRsTiFsst1Tvq29ojXf
UEBW3VFXI2/u7kZ3PjQbWOk8g10DWxmF+wvdgBf0X6uwKo/vks789PWLxnPyAPaSKdNWH8M2FEPR
P1Os7saHSHGsflgIA6zttlMFRR0bW7/d3fx8/TAa3n7slYpQOsZ4wtqbNN8Orh9eD26xOXhLr1UW
EXEf07SJsFLQIaxkPraji+6Zf1FQgNoCed7xL87PNw3s4uTEv+yE5QbmjAiWShjepK60PR/NsHY3
807lsPiArYrutOT4UnxNCZjOO0+Qi9pg3DSMUoEqTY7B3YvCpdWr9Bdc3cq1kmjrr/AzZXZBMqpb
aWx31VygcPlG3Lr81eaC10qmttJSzV6gIydc5xeesgVRJz53/CjGci/nCAFLhFlBNOXRE5bTtSbs
AXP2hOuZIrA8fKdIsIhRv1sKM0VFIB8XQmYay79INI9I2vXiPUhugUYohDXI2QLfz8vFLjiuEt2v
tOHzmy8CI9j7iM18nmk0MOWRGK8wmG0vt2YSvWhnRALg7xp1u8Mbz9iEDCGOsBR6arsjXX1NWb5D
mWObOTUhEOvoybHKyKJtS6y7s2SGHMHa+x3KEo4WFBQZrzgTCCn6FEmuXFpm8V0X1Vk0pdpyGQZe
1akug9Bys+tuwoQShFab+5gnpg2tB/fvHt6Mrm8+/xR2wjDcyTsau/FR0oPXQfosuXNFkRXHX9Nr
aCOipxU8CtOgWEfXvsZ+aIOfUul4TVh2tUy0b93mopfnlTmPveN1saKclXm1jTwPKgoqKVmeps89
7Gp3wxbD2l0usazdxf1Mq/6yB9hW/YYDjKvmJvtZ11HmlJnXUeaU2Vf9BueF3Q1hvf26tlDSqNK2
Xak6HjIYvh750NBYP6MphZStpmgTVokNF6l3bF69D7U3GrUtrjz2xGl+yg6t3J8lBxQVo0Iv9wtX
SeBhtXtSY3PimmruS69vnVRzwg7tPM7lx1DPMg8pFdjyETbejiYs2ZzpJyQC9jmIxp+SSEUY/qBs
Ps7wty+8Hd0P/mxhhf1QEBj3K5Woi7FxKZK1Lqli18YwY5DzaliwWcb3EBEs1oon5sEaQERWB86W
sOyL9eyWeFkCI3Fb1Y9IaS4uetVEq57nvQhPpIfAbi1UNh1+ivKRnn7k2x2QhI1tAHJc98ij3hbq
h3OG/YzQlZByNRdaiwXPG1veHfcp89aNT45LD2RiZpifP8Uq8528q+3V5p7IOMtQIULpHr8cDqfN
GuTBQM/cbD/M0nxNIK0h5ms4xlf+1MuWD3rOyB2nynTxy8eGy78lzbzGCRYAAA==
--------------060805040604080602050005--