Extending fcopy

Janning Vygen vygen at planwerk6.de
Mon Dec 11 12:17:24 CET 2006


Am Sonntag, 10. Dezember 2006 19:25 schrieb Michael Tautschnig:
> > Am Freitag, 8. Dezember 2006 16:48 schrieben Sie:
> > > > > > - some -k/--keep option (which I'd rather call --keep-permissions
> > > > > > :-)
> > >
> > > [...]
> > > If a file permission get borked it will never be fixed by an
> > > softupdate.
> >
> > you don't need to use the -k (keep-permissions) option, so spftupdate can
> > fix it. But why should it be broken anyway?
>
> Never trust your system. Never.

Your are right, but that doesn't mean to use FAI to make it more trustworthy.
If something/someone changes permissions on your system it should be detected 
by something like an IDS and not corrected silently by FAI softupdate. 

> > > In the case that it's not root:root 644 it has in most cases a special
> > > reason.  If the file is missing there noting to preserve, what to use
> > > then?
> >
> > then use -M, -m or source file permissions as it is right now.
>
> I'd say the patch should add 2 warning:
> - One to be displayed in case there is destination file
> - Anotherone in the man page: WARNING: -k might introduce a security hole
> in case the permissions of the destination file have been altered
> unexpectedly.

good idea. Warnings are always useful.

> Then, well, it's up to the FAI-user to use -k or not.

exactly.

> Return codes and fcopy to me is a somewhat strange thing. The current
> default behaviour is that preserving a file is treated as an error and a
> non-zero exit status is returned.
>
> In my opinion fcopy should only return something other than 0 if an error
> occurred. And preserving a file is not an error IMHO.
>
> As such I'd go for the following: Return 0 unless anything inside fcopy
> (which includes preinst/postinst) went wrong. To find out, whether files
> have been altered or not (which includes changing permissions), I'd prefer
> an output like the following (more or less proper perl, but I guess you get
> the idea):
>
> if( $changed )
> {
>   printf "fcopy is updating $file:\n";
>   printf "\t Copied $src to $dest\n" if( $copied );
>   printf "\t Permissions set to $perm\n" if( $perm_changed );
> }

I would rather stick to the output fcopy uses today. I don't think that we 
need to distinguish between content and permission change. A script could 
always analyze the situation further if it needs more information.

> Then, one could do the following:
>
> fcopy ... /etc/postgresql | grep -q "fcopy is updating" &&
> /etc/init.d/postgresql restart

Yes, i guess you are right.  I just started to do some test with fcopy 
returning "useful" exit codes but it is rather strange. Just printing out 
what has changed is a rather small patch. 

kind regards,
Janning

> Best,
> Michael

-- 
PLANWERK 6 websolutions
Venloer Straße 8, 40477 Düsseldorf
Tel: (0211) 302666-0
Fax: (0211) 302666-10 
http://www.planwerk6.de/



More information about the linux-fai-devel mailing list