/tmp should be world-writable

2018-07-19 14:09:49 +09:00 · 2018-07-19 14:09:49 +09:00 · f3b818c3e5
commit f3b818c3e5
parent 8fefbe9e73
1 changed files with 11 additions and 4 deletions
--- a/util/update-devtable.py
+++ b/util/update-devtable.py
@ -4,18 +4,25 @@ import glob
 from pathlib import Path

 with open('util/devtable','w') as devtable:
-    devtable.write('/bin/gsudo f 4555 0 0 - - - - -\n') # sudo always needs setuid
-    devtable.write('/bin/sudo f 4555 0 0 - - - - -\n') # sudo always needs setuid
+
+    # Set sudo apps to setuid, executable, no write
+    devtable.write('/bin/gsudo f 4555 0 0 - - - - -\n')
+    devtable.write('/bin/sudo f 4555 0 0 - - - - -\n')
+
+    # Set master.passwd to not be visible except by root
    devtable.write('/etc/master.passwd f 600 0 0 - - - - -\n') # /etc/master.passwd should be restricted

-    # Now add user home directories
+    # Copy permissions and set ownership for user files
    for user_details in [('local',1000)]:
        user, uid = user_details
        for path in glob.glob('./base/home/{user}/**'.format(user=user),recursive=True):
            p = Path(path)
-            path_mod = path.replace('./base','')
+            path_mod = path.replace('./base','').rstrip('/')
            path_type = 'd' if p.is_dir() else 'f'
            st = os.stat(path)
            mode = '{:o}'.format(st.st_mode & 0o7777)
            devtable.write('{path_mod} {path_type} {mode} {uid} {uid} - - - - -\n'.format(path_mod=path_mod,path_type=path_type,mode=mode,uid=uid))

+    # Special case /tmp to allow all users to write
+    devtable.write('/tmp d 777 0 0 - - - - -\n')
+