Hide Forgot
Description of problem: The latest release of tog-pegasus has all files installed world-unreadable and world-unexecutable. This means it is impossible for a user to link against pegasus libraries, or to run pegasus executables. This is a regression from the release provided in base. Version-Release number of selected component (if applicable): tog-pegasus-2.5.1-4.FC5 How reproducible: always Steps to Reproduce: 1. try to link against tog-pegasus libraries Actual results: EPERM Expected results: link succeeds Additional info: Removing the world-readable and world-executable cannot be explained in terms of security, as users can download the source rpm, and build it so it runs in their home directories (or play LD_LIBRARY_PATH games with files extracted from the binary rpm). Reducing access permissions only makes sense for configuration files.
Only members of the 'pegasus' group or root can connect with the cimserver. This extra security was added because the cimserver process runs with root privilege, and can return information to non-root callers that only the root user would otherwise be allowed to see - for instance, the list of ALL running processes. Since all the pegasus libraries are used for communicating with the cimserver, they also should be readable + executable only by root or members of the pegasus group, and the root user sysadmin must make a conscious choice to allow users to talk to the cimserver or use the pegasus libraries by granting them membership of the pegasus group. Making the access change to the libraries means that the cimserver does not have to deny unprivileged users access to itself, and un-privileged users cannot tie up the cimserver with denials (making a DoS attack). Sorry, but this is the way the pegasus libraries will be installed in the Red Hat tog-pegasus releases, for security reasons - if you don't like it, you can always change the permissions of the libraries yourself: # rpm -ql tog-pegasus | grep /usr/lib | while read f; do chmod a+rX $f; done
As I pointed out, this has zero effect on security, as users can install the libraries in their home directories and use them (or connect to the socket directly through the TCP ports, using telnet or some other client in a loop). On the other hand, it does affect usability, since now developers cannot link against the libraries. No other package uses permissions on freely-available executables as a means to limit access. Please reconsider. You're not improving security but instead you are making life needlessly harder.
Oh, and changing permissions is not a very good workaround as the next update will overwrite them.
OK, I'll surrender to popular opinion here - the tog-pegasus libraries are now back at mode 0755, in tog-pegasus-2.5.1-5.FC5 / tog-pegasus-2.5.1-6.FC6 . Releasing tog-pegasus-2.5.1-5.FC5 to updates/testing today.
Thanks. tog-pegasus-2.5.1-5.FC5 works as expected.