Restricting owner permissions for software depots

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x78043d853cd9d5118ff40090279cd0f9,00.html

That thread isn't the same as my question - that refers to who has permissions on the depot/package. I want to know how to restrict permissions *within* a developer created package...

Are you installing the package as the root user or as another user?

Write a script to "browse" their package to ensure that they haven't done such. Also, if they have root on their development machine and they chmod 7555 on ksh and put it into their package, then it will come over with 7555 without the file_permission attribute.

You could easily set a policy regarding "packages" and anyone found "cheating" will be reprimanded. Before an install do this:

find / \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \; >/tmp/pre_modes

then after the install do this:

find / \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \; >/tmp/post_modes
diff /tmp/pre_modes /tmp/post_modes

If there are differences that are not documented, then act on it.

There are legitimate reasons for having files set with root ownership and/or setuid/gid. If it's not documented that this will occur, then again act on it.

live free or die
harry

Oh well - I'd hoped that there would be an easy answer to this...

I'll just have to strictly control the PSF - doing a tripwire scan of all important files will be too time consuming after every package install! (Not just checking for suid files as they could do much much worse!)

dave