[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde
Subject:    re: kscd, CDDB, and krabber
From:       Cris Wade <quade () therim ! net>
Date:       1999-08-01 18:31:42
[Download RAW message or body]

>Can't check right now, but it sounds like those directories just
>contain the CD-database.  It does not contain any executables or
>anything relevant.  The only risk (if I'm correct) is that somebody
>else could change the track titles of your favourite CD.  ;-)

	well, this system will be possibaly used by many users, some of
whom I have no idea of there intentions and skill level.  also, this opens
up the possibility of a user compleatly filling up the partision (/opt)
with useless information.  I guess I could put quotas on this file system,
but this is the only world writable part of the file system (/opt is on a
seperate partision).  It seams rather wastefull to apply quotas to
something that noone, except root has permision to write to in the first
place.  I guess what I am getting to is that with kscd, wouldent it be a
better solution for each user to keep his own local CDDB cache in his home
directory, just like netscape keeps the cache of each user seperate.
While this may slow things down a little, it would greatly increase
security on systems that have multiple users (ether through X terminals or
just a system that is in a semi-public area).  Another solution would be
to ether send all CDDB database requests to a SQL server (mySQL for
instance), or have a kscd helper program that runs SUID post the CDDB
entries.  Both of these solutions have drawbacks.  a SQL server is
overkill for all but the largest CD collections, and SUID programs have
there own problems.

>Well, as I said, I suppose the software does not 'depend' on deleting
>other users' files, but the concept is that all users share a common
>CD-database (which is mainly a cache for the cddb on the internet).
>If every CD has its own file you should not need to delete anything
>(not anybody elses nor your own) so there should be no problem.  If an
>app crashes because it cannot delete an entry from the database I'd
>say don't use it.
>
>>> Secondly, is this a problem with all KDE
>>> installs, or is it just a slackware specific problem.
>>
>> Probably it's a problem caused by installing a tar-packed library. The tar-file
>> contains the permissions of the files and directories as they were at the moment of
>> generating the tar-file and if you install it, you get them all. As I said, as long as 
>> you are the only user, it doesn't really matter. If you want to check the permissions
>> before installing a tar-archive, you could take a look on the output of
>>             tar    -tvf    tarfilename
>            
>As I said I can't check, but it seem quite logical to me to give
>rw-permission to everyone if you use a shared database for all users.
>Obviously you could create a group (say cddb) and change permissions
>to 770 and 660, but I don't think that's generally a security concern.

This only particaly solves the problem, anyone who can write to the CDDB
directory, can still deleate other users files or fill up the partision.  

Thanks

Cris Wade

-- 
Send posts to:  kde@lists.netcentral.net
 Send all commands to:  kde-request@lists.netcentral.net
  Put your command in the SUBJECT of the message:
   "subscribe", "unsubscribe", "set digest on", or "set digest off"
PLEASE READ THE ARCHIVED MESSAGES AT http://lists.kde.org/ BEFORE POSTING
**********************************************************************
This list is from your pals at NetCentral <http://www.netcentral.net/>

[prev in list] [next in list] [prev in thread] [next in thread]