(Illustration by Gaich Muramatsu)
On Thu, Feb 15, 2001 at 06:55:51AM +0000, Dr A V Le Blanc wrote: > coda itself anywhere under /usr. The real pain is tweaking any > Linux distribution to deal with shared /usr on a particular > client. This is one reason why I feel the distributions and > both rpm and dpkg fail to support this kind of installation > adequately. One problem that is very hard to resolve are the non-shared configuration files in /etc. When some of the binaries in /usr are updated, this might require an update to the configuration on all clients. So there should be some way of installing multiple versions of a binary/package and leaving it up to the clients to upgrade. So the problem turns into having an `unpacked' package in some place in /coda, with pre/post install/remove scripts which create links from the local /usr tree to the various binaries. Which is exactly what "depot" is doing (and in some ways "stow", a simpler version of "depot"). > in AFS. With Coda you can put the suid programs there, but not > sgid, of course. (Thus in the previous example, where /usr is > a link into /coda, /usr/bin/man may have to be a link out of /coda, > if it is a sgid program.) Ehh, not anymore. We didn't like the security "feature" of some user who has `root' on one client being able to install suid-root binaries. Which can then be executed on any other Coda-client. Suid-bits should be a per machine policy, so Coda now correctly filters them out. And no, there is no option to disable this filtering of suid bits. If anybody wants suid-binaries in /coda, here is what I've been using: - Get the program "super" and install it on the local disk on every client (f.i. /bin). - For each suid binary in Coda, mv binary binary.su && ln -s /bin/super binary - For each sgid binary in Coda, mv binary binary.sg && ln -s /bin/super binary - Create a super.tab file similar to the following: #!/bin/super -o :global_options logfile=/var/log/super.log renewtime=y {binary,binary2,binary3} /coda/usr/sbin/*.su user~* uid=0 mail /usr/bin/mail.sg user~* uid=<caller> gid=mail \ env=PAGER,LISTER,EDITOR,VISUAL,MAIL,MBOX,DEAD - Install the super.tab in /etc on every client, now any client can modify his local suid policies without compromising everything else. Super nicely strips out environment variables, which breaks some programs like setuid cgi-scripts, so I'm using the following recipe for those: jitterbug /coda/cgi-bin/*.su \ env=CONTENT_LENGTH,REQUEST_METHOD,QUERY_STRING,PATH_INFO,SCRIPT_NAME,AUTH_TYPE,REMOTE_USER,REMOTE_HOST,REMOTE_ADDR \ nobody JanReceived on 2001-02-15 09:32:52