On Tue, 2011-04-05 at 03:50 -0400, Kamil Paral wrote:
> > So my proposal is:
> > What about to install fas.conf as 0644 in Makefile and then change
> > it to %attr(0640,autoqa,autotest) in autoqa.spec?
> >
> > This way it should work fine for development machines and production
> > machines. The only change required is in Makefile:
> > -[ -f $(PREFIX)/etc/autoqa/fas.conf ] || install -m 0640 fas.conf
> > $(PREFIX)/etc/autoqa
> > +[ -f $(PREFIX)/etc/autoqa/fas.conf ] || install -m 0644 fas.conf
> > $(PREFIX)/etc/autoqa
>
> Isn't it a bad idea to have fas.conf with permissions other than 0640,
> since it potentially contains a secret? Rather than preparing the
> system for potentially exposing your FAS password, what about just
> ignore fas.conf in 'make install' entirely? Leave it as an exercise
> for
> the developer?
But 644 permissions should be present only when you do 'make install', when
installing from rpm you should get 640. Thus I believe it only concerns developers. We can
also add a big warning into fas.conf saying "Make sure this file is readable only by
root and autotest user if you fill in secret data".
I want to reach a state where you checkout autoqa, make install, and it works. Because
currently it fails and if you're not an autoqa expert, it's very hard to find out
the cause. I'd like to eliminate those roadblocks, otherwise we won't get much
help from the community, students, etc in the future.
If you don't want to change the permissions, the second solution is to add
conditional statement into the Makefile and "chgrp autotest fas.conf" if running
under root and autotest user is present. Thus it won't be executed in mock but it will
be executed for AutoQA developers.
I'll gladly prepare a patch, just tell me which solution you find better. Or is there
a third way?
Maybe a crazy idea, how possible would it be to emit a logging.warning
if fas.conf is world-readable. Something like
http://fpaste.org/R7UB/
If we have that warning, along with future logging improvements, this
seems like a good fit for the 'make install' 644 approach you suggest.
Thoughts?
Thanks,
James