F8 postmortem

[Francois Petillon]

Matt Domsch wrote:
> Permissions on dirs/files on the mirror should be revisited.
> All directories should be 0750 and files should be 0640 before the
> bitflip, to prevent leaks. vsftpd will serve a file with a known name
> and perms 0644 even if the directory or one above it is 0750.  Apache
> won't.  Let's be sure to use these permissions.

I disagree. This is typically a server setup issue, not a permission 
issue. If vsftpd serves such files, it means it has the right to access 
the directory (so it is run with the same UID than rsync or it is in the 
same group). If the files are group readable, then technically, vsftpd 
has the right to read them just like it has the right to access the 
directories path. Doing 0640 on files will block vsftpd access if and 
only if the admin has enabled anon_world_readable_only.

I would advocate for a release root-only bitfliped to get updates as 
simple as possible. As admins are usually asked to schedule a atjob to 
run a rsync/chmod at release date/time, KISS... ;-)

If you really want to avoid leaks, then perhaps you should test mirrors 
with a special directory to reproduce usual release rights and check 
from time to time if this directory contents are unreadable.

François