diff options
| author | наб <[email protected]> | 2021-04-02 16:40:48 +0200 |
|---|---|---|
| committer | Brian Behlendorf <[email protected]> | 2021-04-14 13:19:49 -0700 |
| commit | 718ee43362f477e70d3cd7ad8871a2c575e7a792 (patch) | |
| tree | 62e1263c9e1a642ac384471698a2eb437f4a3ef2 /man/man8 | |
| parent | 01219379cf265ba8d719bca263877529e29a67f7 (diff) | |
zed.8: don't pretend an unprivileged user could change the script owner
And add a note on /why/ ZEDLETs need to be owned by root
Quoth chown(2), Linux man-pages project:
Only a privileged process (Linux: one with the CAP_CHOWN capability)
may change the owner of a file.
Quoth chown(2), FreeBSD:
[EPERM] The operation would change the ownership,
but the effective user ID is not the super-user.
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Ahelenia Ziemiańska <[email protected]>
Closes #11834
Diffstat (limited to 'man/man8')
| -rw-r--r-- | man/man8/zed.8.in | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/man/man8/zed.8.in b/man/man8/zed.8.in index 155148675..eb3b9e015 100644 --- a/man/man8/zed.8.in +++ b/man/man8/zed.8.in @@ -117,9 +117,10 @@ ZEDLETs to be invoked in response to zevents are located in the \fIenabled-zedlets\fR directory. These can be symlinked or copied from the \fIinstalled-zedlets\fR directory; symlinks allow for automatic updates from the installed ZEDLETs, whereas copies preserve local modifications. -As a security measure, ZEDLETs must be owned by root. They must have -execute permissions for the user, but they must not have write permissions -for group or other. Dotfiles are ignored. +As a security measure, since ownership change is a privileged operation, +ZEDLETs must be owned by root. They must have execute permissions for the user, +but they must not have write permissions for group or other. +Dotfiles are ignored. .PP ZEDLETs are named after the zevent class for which they should be invoked. In particular, a ZEDLET will be invoked for a given zevent if either its @@ -231,12 +232,6 @@ Terminate the daemon. .SH BUGS .PP -The ownership and permissions of the \fIenabled-zedlets\fR directory (along -with all parent directories) are not checked. If any of these directories -are improperly owned or permissioned, an unprivileged user could insert a -ZEDLET to be executed as root. The requirement that ZEDLETs be owned by -root mitigates this to some extent. -.PP ZEDLETs are unable to return state/status information to the kernel. .PP Some zevent nvpair types are not handled. These are denoted by zevent |