Re: Confusing security report
- In reply to: D'Arcy Cain : "Re: Confusing security report"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 09 Jun 2024 16:09:37 UTC
D'Arcy Cain <darcy@druid.net> writes: > I thought I explained that but let me expand. I have a login.conf in > my subversion repository which is checked out on every server in my > farm. At boot time it runs this command: > > cap_mkdb -f /etc/login.conf /Vybe/etc/general/login.conf > > So that creates the /etc/login.conf.db. If that db file exists it > will be used regardless of whether /etc/login.conf exists. > > I thought I could simply symlink the repo file into /etc but I am > pretty sure that would give me the same ownership warning. It will make the same test against the real file. If that gives you a warning, I'd be inclined to tighten up how the repo gets checked out. This does suggest that maybe a similar check should be made on the .db file, though. I'm not sure exactly how that should be implemented; for my own purposes I would automatically regenerate the db, but I'm not sure there's any one action that would be appropriate for everyone. For cases where you know for sure that this check is always a false positive, disabling the check is easy. For more complicated local situations, customizing the logincheck script is only slightly more complicated. In short, there are a lot of reasonable ways to deal with this situation. Season to taste. Be well.