From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 1 Feb 2018 05:52:07 +0000 (-0500)
Subject: drop world-executable permissions on /run/knot-resolver
X-Git-Tag: v2.1.0~23^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8741d10e46db06a1fb5ab22494a56471293247c;p=thirdparty%2Fknot-resolver.git

drop world-executable permissions on /run/knot-resolver

It's not clear why anyone other that the superuser needs to be able to
descend into /run/knot-resolver, so we should drop this extra
permission.

it appears to have been added
e0f33604fac3bdd6f105ed0c50a4a08f562c72f8, but the log message for that
commit doesn't explain why the permission needs to be loosened.

The main situation that calls for executable but not readable
directories is when a directory contains something at a known location
that everyone must be able to reach, but also contains some sensitive
file with a name that itself is unguessable (i.e. high entropy
string).  That doesn't appear to be the case here.

By principle of least privilege, we should leave it locked down unless
there's a clear justification for opening it up.
---

diff --git a/systemd/tmpfiles/knot-resolver.conf b/systemd/tmpfiles/knot-resolver.conf
index 4801e72f4..9ac595273 100644
--- a/systemd/tmpfiles/knot-resolver.conf
+++ b/systemd/tmpfiles/knot-resolver.conf
@@ -1,4 +1,4 @@
 # tmpfiles.d(5) runtime directory for knot-resolver (kresd)
 #Type Path                            Mode UID           GID          Age Argument
-    d /run/knot-resolver              0751 root          root          -   -
+    d /run/knot-resolver              0750 root          root          -   -
     d /var/cache/knot-resolver        0750 knot-resolver knot-resolver -   -