Help with permissions under Rainbow sought

Michael Stone michael at laptop.org
Sun Apr 18 11:10:33 EDT 2010


Bert Freudenberg wrote:
>On 18.04.2010, at 14:10, Sascha Silbe wrote:
>> On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote:
>>
>>> Rainbow changes UID for every invocation [...]
>>
>> Yes, that's the default behaviour. Rainbow can be instructed to use a
>> constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a
>> file activity/permissions.info, containing "constant-uid" on a single line.
>>
>> This is the least preferable solution, though.
>> 
>>> Apparently the create mask rainbow uses is 755 and group members do not
>>> have write access.
>>
>> It's not Rainbow that decides this.
>
>But arguably Rainbow could set a better default, no? Making files group-writable?

Rainbow actually calls os.umask(0) here:

   http://dev.laptop.org/git/security/tree/rainbow/rainbow/inject.py#n263

However, it's entirely possible that some other logic in your program is
setting umask(022) or is creating files with an explicitly specified mode. (You
may recall that xulrunner's behavior here was the reason why constant-uid was
introduced.)

>Hmm, how do I test if Rainbow is enabled, in a shell script, again?

If you mean "is sugar going to launch the next activity it launches under
rainbow?", then test for the presence of /etc/olpc-security, e.g. with

   if [ -f /etc/olpc-security ]; then ... fi

If you mean "is my script currently running under rainbow?", then I don't have a
perfect answer for you this instant. 

(A good but imperfect answer is to test whether whether getuid() > 10000 and
getgid() > 10000, e.g. by parsing the output of the "id" command.) 

Regards,

Michael



More information about the Devel mailing list