Making everything executable in config_dir sounds wrong

[amishmm]

usermin/setup.sh

Line 629 in 8bc6f5c

chmod -R 755 $config_dir

This line makes everything under config directory (normally /etc/usermin) world executable, including all the config files and var-path, perl-path, version, webmin.acl, miniserv.users, miniserv.conf etc

Which is wrong.

Probably only 2 files, named start and stop require executable permissions.

So please fix it.

Thank you

[jcameron]

The directories need to be executable so that they can be listed though, and there's no simple portable way to have a chmod command set different permissions on files vs. directories.

[amishmm]

This is not the case for webmin. i.e. /etc/webmin seems to set permission properly.

If you just want to set permissions on directory then its easy.

find "$config_dir" -type d -exec chmod 755 {} \+

For permissions on files:

find "$config_dir" -type f -exec chmod 644 {} \+

You can also combine above two.

find "$config_dir" -type d -exec chmod 755 {} \+ -o -type f -exec chmod 644 {} \+

[swelljoe]

As far as I know, find is as portable as you'd need for this. The BSDs and Linux are all identical (with regard to the -type flag and its options and -exec, though there were some historic implementations that had differences in -exec, I don't think any of those UNIXen still exist).

[jcameron]

Is there any downside to making config files executable though?

[amishmm]

That's a strange and unexpected question from you!

Basic principle of *NIX security is not to make files executable unless they are actually meant to be executed.

Executable permission may not harm but no security expert would recommend doing it because you never know, there can be flaw anywhere in software.

[iliajie]

@amishxda I don't think you getting the things right, sorry. You need +x bit on the directory to open it. Try removing it from the directory and see what happens.

https://unix.stackexchange.com/q/21251/34581

[amishmm]

Yes so why give 755 to all the files under it? (why -R switch?)

Use find and chmod combination above which will chmod only directories.

PS: You probably missed my 2nd comment here #38 (comment)

[jcameron]

All those files are just config files though .. even with the executable bit, they can't be run!

[amishmm]

They can be run - the shell will try to run and set environment and then do nothing and exit.

Ofcourse it wouldnt make much sense.

But still all I am saying is, if files are not meant to be executed - the executable bit should not be set unnecessarily. Any "unknown" flaw in usermin can be exploited. (even if chances are very remote)

[amishmm]

Created PR #39.

Note that "find" command is portable and is already used at other places in setup.sh

config files anyway has 644 - so no need to chmod them.

[amishmm]

Closing as issue is fixed by:
PR: #39
Commit: 12a5e70