Help with permissions under Rainbow sought

Bert Freudenberg bert at freudenbergs.de
Sun Apr 18 11:22:36 EDT 2010


On 18.04.2010, at 17:10, Michael Stone wrote:
> 
> Bert Freudenberg wrote:
>> On 18.04.2010, at 14:10, Sascha Silbe wrote:
>>> On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote:
>>> 
>>>> Rainbow changes UID for every invocation [...]
>>> 
>>> Yes, that's the default behaviour. Rainbow can be instructed to use a
>>> constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a
>>> file activity/permissions.info, containing "constant-uid" on a single line.
>>> 
>>> This is the least preferable solution, though.
>>>> Apparently the create mask rainbow uses is 755 and group members do not
>>>> have write access.
>>> 
>>> It's not Rainbow that decides this.
>> 
>> But arguably Rainbow could set a better default, no? Making files group-writable?
> 
> Rainbow actually calls os.umask(0) here:
> 
>  http://dev.laptop.org/git/security/tree/rainbow/rainbow/inject.py#n263
> 
> However, it's entirely possible that some other logic in your program is
> setting umask(022) or is creating files with an explicitly specified mode. (You
> may recall that xulrunner's behavior here was the reason why constant-uid was
> introduced.)

Well, I remember having to put the "umask 0002" call in the Etoys startup script a long time ago. It's still there, but unconditionally. Hence my next question ...

>> Hmm, how do I test if Rainbow is enabled, in a shell script, again?
> 
> If you mean "is sugar going to launch the next activity it launches under
> rainbow?", then test for the presence of /etc/olpc-security, e.g. with
> 
>  if [ -f /etc/olpc-security ]; then ... fi
> 
> If you mean "is my script currently running under rainbow?", then I don't have a
> perfect answer for you this instant. 
> (A good but imperfect answer is to test whether whether getuid() > 10000 and
> getgid() > 10000, e.g. by parsing the output of the "id" command.) 
> Regards,
> 
> Michael

I meant the latter. Guess I won't worry too much, since most distros nowadays use per-user groups anyway.

- Bert -



More information about the Devel mailing list