restrictive permissions useful?

rbihlmeyer · ‎11-11-2011

Any rationale why the most files and directories under /opt/vmware/vcloud-director are not world-readable?

Modes 644 and 755 (where appropriate) would let me do more install tasks as a normal user. I'd prefer only those files unreadable where it actually makes sense...

--
Robert Bihlmeyer / ASSIST / Arrow ECS GmbH

admin · ‎11-11-2011

Can you provide examples of what you mean by "install tasks"?

The ownership of the vCD files is set such that the non-privileged vcloud user owns most files and there are a few key files that need to be owned (and only executed) by root. In terms of the file modes, most are restricted to prevent arbitrary (unprivileged) users from having access to them, usually because there is confidential information/credentials in the files that could be used to bootstrap a compromise of the larger system (DB, vSphere, etc.).

rbihlmeyer · ‎11-24-2011

Kyle Smith <communities-emailer@vmware.com> writes:

> Can you provide examples of what you mean by "install tasks"?

For example, acquiring certificates using keytool.

> The ownership of the vCD files is set such that the non-privileged vcloud
> user owns most files and there are a few key files that need to be owned
> (and only executed) by root. In terms of the file modes, most are restricted
> to prevent arbitrary (unprivileged) users from having access to them, [...]

All files included in the installation package are by definition not secret.
They may become so later, but this only applies to those that are changed.
This is not the case for binaries, libraries, et al.

br,
--
Robert Bihlmeyer / ASSIST / Arrow ECS Internet Security AG

--
Robert Bihlmeyer / ASSIST / Arrow ECS GmbH