From kde Sun Aug 01 18:31:42 1999 From: Cris Wade Date: Sun, 01 Aug 1999 18:31:42 +0000 To: kde Subject: re: kscd, CDDB, and krabber X-MARC-Message: https://marc.info/?l=kde&m=93353211224086 >Can't check right now, but it sounds like those directories just >contain the CD-database. It does not contain any executables or >anything relevant. The only risk (if I'm correct) is that somebody >else could change the track titles of your favourite CD. ;-) well, this system will be possibaly used by many users, some of whom I have no idea of there intentions and skill level. also, this opens up the possibility of a user compleatly filling up the partision (/opt) with useless information. I guess I could put quotas on this file system, but this is the only world writable part of the file system (/opt is on a seperate partision). It seams rather wastefull to apply quotas to something that noone, except root has permision to write to in the first place. I guess what I am getting to is that with kscd, wouldent it be a better solution for each user to keep his own local CDDB cache in his home directory, just like netscape keeps the cache of each user seperate. While this may slow things down a little, it would greatly increase security on systems that have multiple users (ether through X terminals or just a system that is in a semi-public area). Another solution would be to ether send all CDDB database requests to a SQL server (mySQL for instance), or have a kscd helper program that runs SUID post the CDDB entries. Both of these solutions have drawbacks. a SQL server is overkill for all but the largest CD collections, and SUID programs have there own problems. >Well, as I said, I suppose the software does not 'depend' on deleting >other users' files, but the concept is that all users share a common >CD-database (which is mainly a cache for the cddb on the internet). >If every CD has its own file you should not need to delete anything >(not anybody elses nor your own) so there should be no problem. If an >app crashes because it cannot delete an entry from the database I'd >say don't use it. > >>> Secondly, is this a problem with all KDE >>> installs, or is it just a slackware specific problem. >> >> Probably it's a problem caused by installing a tar-packed library. The tar-file >> contains the permissions of the files and directories as they were at the moment of >> generating the tar-file and if you install it, you get them all. As I said, as long as >> you are the only user, it doesn't really matter. If you want to check the permissions >> before installing a tar-archive, you could take a look on the output of >> tar -tvf tarfilename > >As I said I can't check, but it seem quite logical to me to give >rw-permission to everyone if you use a shared database for all users. >Obviously you could create a group (say cddb) and change permissions >to 770 and 660, but I don't think that's generally a security concern. This only particaly solves the problem, anyone who can write to the CDDB directory, can still deleate other users files or fill up the partision. Thanks Cris Wade -- Send posts to: kde@lists.netcentral.net Send all commands to: kde-request@lists.netcentral.net Put your command in the SUBJECT of the message: "subscribe", "unsubscribe", "set digest on", or "set digest off" PLEASE READ THE ARCHIVED MESSAGES AT http://lists.kde.org/ BEFORE POSTING ********************************************************************** This list is from your pals at NetCentral