drop world-executable permissions on /run/knot-resolver

It's not clear why anyone other that the superuser needs to be able to
descend into /run/knot-resolver, so we should drop this extra
permission.

it appears to have been added
e0f33604fac3bdd6f105ed0c50a4a08f562c72f8, but the log message for that
commit doesn't explain why the permission needs to be loosened.

The main situation that calls for executable but not readable
directories is when a directory contains something at a known location
that everyone must be able to reach, but also contains some sensitive
file with a name that itself is unguessable (i.e. high entropy
string).  That doesn't appear to be the case here.

By principle of least privilege, we should leave it locked down unless
there's a clear justification for opening it up.

diff --git a/systemd/tmpfiles/knot-resolver.conf b/systemd/tmpfiles/knot-resolver.conf
index 4801e72f4e5a3f3788e8a0ab00be7b5b536a7acb..9ac595273755d20cb7d5a4842ae5d16442528d22 100644 (file)
--- a/systemd/tmpfiles/knot-resolver.conf
+++ b/systemd/tmpfiles/knot-resolver.conf
@@ -1,4 +1,4 @@
 # tmpfiles.d(5) runtime directory for knot-resolver (kresd)
 #Type Path                            Mode UID           GID          Age Argument
-    d /run/knot-resolver              0751 root          root          -   -
+    d /run/knot-resolver              0750 root          root          -   -
     d /var/cache/knot-resolver        0750 knot-resolver knot-resolver -   -