avoided setting setuid/setgid bits on files

2017-06-15 12:25:02 -06:00 · 2017-06-15 12:25:02 -06:00 · 63d19dad6a
parent dc226f8531
commit 63d19dad6a
1 changed files with 11 additions and 2 deletions
--- a/install.sh
+++ b/install.sh
@ -274,5 +274,14 @@ $sudo_cmd chown -R www-data:www-data /opt/walnut || true
 $sudo_cmd chown -R _www:_www /opt/walnut || true
 $sudo_cmd chown -R www-data:www-data /srv/walnut || true
 $sudo_cmd chown -R _www:_www /srv/walnut || true
-$sudo_cmd chmod -R ug+rwXs /srv/walnut
-$sudo_cmd chmod -R ug+rwXs /opt/walnut
+$sudo_cmd chmod -R ug+rwX /srv/walnut
+$sudo_cmd chmod -R ug+rwX /opt/walnut
+# +s sets the setuid/setgid bit, which when set on directories makes it so anything
+# created inside the directory maintains the same user/group (depending on the bits
+# set). Any directory created within a directory with those bits set will also have
+# those bits set. When setuid or setgid bits are set on a file however it means that
+# if the file is executed it will run with the permissions of the user/group no matter
+# who actually runs it (see the ping executable for example).
+# I'm not sure that all systems actually support the use of these bits.
+find /srv/walnut -type d -exec $sudo_cmd chmod ug+s {} \; || true
+find /opt/walnut -type d -exec $sudo_cmd chmod ug+s {} \; || true