Re: Tom Lane 2016-02-18 <27423.1455809676@sss.pgh.pa.us>
> I did have a thought though: could we allow two distinct permissions
> configurations? That is, allow either:
>
> * file is owned by us, mode 0600 or less
>
> * file is owned by root, mode 0640 or less
>
> The first case is what we allow today. (We don't need an explicit
> ownership check; if the mode is 0600 and we can read it, we must be
> the owner.) The second case is what Debian wants. We already know
> we are not root, so if we can read the file, we must be part of the
> group that root has allowed to read the file, and at that point it's
> on root's head whether or not that group is secure. I don't have a
> problem with trusting root's judgment on security matters --- if the
> root admin is incompetent, there are probably holes everywhere anyway.
Makes sense to me.
> The problem with the proposed patch is that it's conflating these
> distinct cases, but that's easily fixed.
Updated patch attached.
Christoph
--
cb@df7cb.de | http://www.df7cb.de/
