[PVE-User] /usr/local permissions

Alain Péan alain.pean at lpp.polytechnique.fr
Mon Feb 27 17:25:45 CET 2012 

Le 27/02/2012 15:02, Timh B a écrit :
> I'm unsure if this question has been asked before, but today I noticed
> that almost everything below /usr/local on the hardware-node has the
> setuid-bit set, is this intentional or is it a miss-configuration? Most of
> my debian-6 guests has these permissions as well, therefor I wanted to ask
> before I removed all setuid bits.

Hi Tim,

You are right, I never noticed that, but it dose not seem to be related 
to Proxmox-ve per se. It is also the case for one of my (physical) 
machine, which was upgraded from Lenny to Squeeze (pure Debian) :
lx-ape2:/usr/local# cat /etc/debian_version
6.0.3
lx-ape2:/usr/local# ls -l
total 28
drwxrwsr-x 2 root staff 4096 12 nov.   2006 bin
drwxrwsr-x 2 root staff 4096 12 nov.   2006 games
drwxrwsr-x 2 root staff 4096 12 nov.   2006 include
drwxrwsr-x 5 root staff 4096 29 nov.  22:07 lib
lrwxrwxrwx 1 root staff    9 12 nov.   2006 man -> share/man
drwxrwsr-x 2 root staff 4096 12 nov.   2006 sbin
drwxrwsr-x 9 root staff 4096  3 janv. 22:15 share
drwxrwsr-x 2 root staff 4096 12 nov.   2006 src

It is also curious that /usr/local belongs to the group staff. I don't 
see this for example on an Ubuntu 10.04, or a CentOS, where /usr/local 
belongs to root:root, and where there is no suid bit...

The same is true for 1.9, as well as 2.0, /usr/local folders have suid 
bit and belong to staff group :
srv-kvm1:/etc# pveversion
pve-manager/1.9/6567

srv-kvm1:/usr/local# ls -l
total 32
drwxrwsr-x 2 root staff 4096 sep 29  2009 bin
drwxrwsr-x 2 root staff 4096 sep 29  2009 etc
drwxrwsr-x 2 root staff 4096 sep 29  2009 games
drwxrwsr-x 2 root staff 4096 sep 29  2009 include
drwxrwsr-x 3 root staff 4096 jan 30  2010 lib
lrwxrwxrwx 1 root staff    9 oct 12  2009 man -> share/man
drwxrwsr-x 2 root staff 4096 sep 29  2009 sbin
drwxrwsr-x 4 root staff 4096 oct 12  2009 share
drwxrwsr-x 2 root staff 4096 sep 29  2009 src

So perhaps something peculiar to Debian ?

And indeed, after a short research, it seems a debian policy :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392

Alain

More information about the pve-user mailing list