Daniel P. Berrange
2007-Apr-24 19:22 UTC
[Xen-devel] PATCH: Remove execute permission from xend-debug.log
The file /var/log/xen/xend-debug.log is currently being created with executable permission bits set. This is because the os.open() method defaults to using a mode of 0777 if no third parameter is provided. The attached patch changes the mode to 0600 to ensure that the file permissions come out as -rw------- instead of -rwxr-xr-x Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Aron Griffis
2007-Apr-24 21:39 UTC
Re: [Xen-devel] PATCH: Remove execute permission from xend-debug.log
Daniel P. Berrange wrote: [Tue Apr 24 2007, 03:22:11PM EDT]> The file /var/log/xen/xend-debug.log is currently being created with > executable permission bits set. This is because the os.open() method > defaults to using a mode of 0777 if no third parameter is provided. > The attached patch changes the mode to 0600 to ensure that the file > permissions come out as -rw------- instead of -rwxr-xr-xDoesn''t os.open default to 0777 & ~umask? Doesn''t seem like xend should be overriding root''s umask Aron _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Aron Griffis
2007-Apr-24 21:45 UTC
Re: [Xen-devel] PATCH: Remove execute permission from xend-debug.log
Aron Griffis wrote: [Tue Apr 24 2007, 05:39:41PM EDT]> Daniel P. Berrange wrote: [Tue Apr 24 2007, 03:22:11PM EDT] > > The file /var/log/xen/xend-debug.log is currently being created with > > executable permission bits set. This is because the os.open() method > > defaults to using a mode of 0777 if no third parameter is provided. > > The attached patch changes the mode to 0600 to ensure that the file > > permissions come out as -rw------- instead of -rwxr-xr-x > > Doesn''t os.open default to 0777 & ~umask? Doesn''t seem like xend > should be overriding root''s umaskSeems that the patch should be using 0666 instead of 0600 so that umask can affect group/other perms. At the very least it should use 0664. Aron _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2007-Apr-24 22:08 UTC
Re: [Xen-devel] PATCH: Remove execute permission from xend-debug.log
On 24/4/07 22:45, "Aron Griffis" <aron@hp.com> wrote:>>> The file /var/log/xen/xend-debug.log is currently being created with >>> executable permission bits set. This is because the os.open() method >>> defaults to using a mode of 0777 if no third parameter is provided. >>> The attached patch changes the mode to 0600 to ensure that the file >>> permissions come out as -rw------- instead of -rwxr-xr-x >> >> Doesn''t os.open default to 0777 & ~umask? Doesn''t seem like xend >> should be overriding root''s umask > > Seems that the patch should be using 0666 instead of 0600 so that > umask can affect group/other perms. At the very least it should use > 0664.Xen-debug.log is the only file in /var/log/xen getting created with +x permissions, so something is obviously up. Arguably we can get rid of xend-debug.log entirely -- I don''t believe anything ever gets logged there these days. I took the patch because 0600 seems saner than 0755. -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Aron Griffis
2007-Apr-24 22:15 UTC
Re: [Xen-devel] PATCH: Remove execute permission from xend-debug.log
Keir Fraser wrote: [Tue Apr 24 2007, 06:08:16PM EDT]> On 24/4/07 22:45, "Aron Griffis" <aron@hp.com> wrote: > > >>> The file /var/log/xen/xend-debug.log is currently being created with > >>> executable permission bits set. This is because the os.open() method > >>> defaults to using a mode of 0777 if no third parameter is provided. > >>> The attached patch changes the mode to 0600 to ensure that the file > >>> permissions come out as -rw------- instead of -rwxr-xr-x > >> > >> Doesn''t os.open default to 0777 & ~umask? Doesn''t seem like xend > >> should be overriding root''s umask > > > > Seems that the patch should be using 0666 instead of 0600 so that > > umask can affect group/other perms. At the very least it should use > > 0664. > > Xen-debug.log is the only file in /var/log/xen getting created with > +x permissions, so something is obviously up. Arguably we can get > rid of xend-debug.log entirely -- I don''t believe anything ever gets > logged there these days. I took the patch because 0600 seems saner > than 0755.It doesn''t make any real difference to me, just thought I''d bring up the umask question before the patch was committed... though at this point it''s in staging, so I guess I was too late. ;-) Aron _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2007-Apr-24 22:30 UTC
Re: [Xen-devel] PATCH: Remove execute permission from xend-debug.log
On 24/4/07 23:15, "Aron Griffis" <aron@hp.com> wrote:>>> Seems that the patch should be using 0666 instead of 0600 so that >>> umask can affect group/other perms. At the very least it should use >>> 0664. >> >> Xen-debug.log is the only file in /var/log/xen getting created with >> +x permissions, so something is obviously up. Arguably we can get >> rid of xend-debug.log entirely -- I don''t believe anything ever gets >> logged there these days. I took the patch because 0600 seems saner >> than 0755. > > It doesn''t make any real difference to me, just thought I''d bring up > the umask question before the patch was committed... though at this > point it''s in staging, so I guess I was too late. ;-)You''re probably right that one of 0644,0664,0666 is better. They''re certainly more in line with all other files under /var/log/xen. -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Daniel P. Berrange
2007-Apr-24 22:35 UTC
Re: [Xen-devel] PATCH: Remove execute permission from xend-debug.log
On Tue, Apr 24, 2007 at 11:30:30PM +0100, Keir Fraser wrote:> On 24/4/07 23:15, "Aron Griffis" <aron@hp.com> wrote: > > >>> Seems that the patch should be using 0666 instead of 0600 so that > >>> umask can affect group/other perms. At the very least it should use > >>> 0664. > >> > >> Xen-debug.log is the only file in /var/log/xen getting created with > >> +x permissions, so something is obviously up. Arguably we can get > >> rid of xend-debug.log entirely -- I don''t believe anything ever gets > >> logged there these days. I took the patch because 0600 seems saner > >> than 0755. > > > > It doesn''t make any real difference to me, just thought I''d bring up > > the umask question before the patch was committed... though at this > > point it''s in staging, so I guess I was too late. ;-) > > You''re probably right that one of 0644,0664,0666 is better. They''re > certainly more in line with all other files under /var/log/xen.Yeah, actually I agree - I thought the other files were already 0600, but in fact it is just the directory itself whose permissions are restricted. I''d just go for 0666, so if an admin wants to make the log files accessible to non-root, they merely have to change the permissions on the dir itself and the files will already be correctly setup. It was only removing the executable bit that I really wanted to sort out. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel