fixes in assp 2.5.6 build 17036

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

fixes in assp 2.5.6 build 17036

Thomas Eckardt/eck
Hi all,

fixed in assp 2.5.6 build 17036:

- the TopTen statistics were somehow inconsistent - 24 hours after an upgrade to this version
  all mistakes will be corrected

- if the Perl-Module autoupdate was unable to update a large module distribution (for example Moose) the update
  process has taken a very long time
 
- ASSP_WordStem.pm version 2.02 is released
  It was possible, that a language, which can't be stemmed (eg. no stemmer module available), was primary
  detected - but an alternative language with a similar probability was available.
  For example: primary detected BG (Bulgarien) 34% - secondary detected RU (Russian) 29%
  In this case, the alternative.language is now used to stem words.

Thomas

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Doug Lytle
On 02/05/2017 06:34 AM, Thomas Eckardt wrote:
> Hi all,
>
> fixed in assp 2.5.6 build 17036:

Thomas,

I've just noted that in build 2.5.6(17026) under Linux, ASSP is setting
the execute bit on all files in the ASSP directory.

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Thomas Eckardt/eck
IMHO for the running user the execution bit was set (owner) all the time a folder or file was created - except for  the 'mysql/export'.
If assp starts as 'root' and switches to (for example) 'assp' - all files and folders created at startup are owned by root and can't be delete by assp.
ASSP now changes the owner to 'assp' - this is what you see.

The reason is simple. Let's have a look at the BerkeleyDB files. If they not exists at startup, they will be created by 'root' and accessable by 'assp' - no problem. But if the access failes at any time, 'assp' will try to fix this - which is only possible to the owner - and failes.

At the end - is this really a problem?

Thomas





Von:        Doug Lytle <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        05.02.2017 13:29
Betreff:        Re: [Assp-test] fixes in assp 2.5.6 build 17036




On 02/05/2017 06:34 AM, Thomas Eckardt wrote:
> Hi all,
>
> fixed in assp 2.5.6 build 17036:

Thomas,

I've just noted that in build 2.5.6(17026) under Linux, ASSP is setting
the execute bit on all files in the ASSP directory.

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Doug Lytle
On 02/05/2017 09:50 AM, Thomas Eckardt wrote:
> At the end - is this really a problem?

Yes; non-executable file type should not have it's execute bit set.  
Scripts and programs, yes, but not the .bak nor .txt or even the .db

Code accidentally or maliciously being entered would run.

Just my opinion,

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Thomas Eckardt/eck
OK - I'll recheck this.

Thomas






Von:        Doug Lytle <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        05.02.2017 16:00
Betreff:        Re: [Assp-test] fixes in assp 2.5.6 build 17036




On 02/05/2017 09:50 AM, Thomas Eckardt wrote:
> At the end - is this really a problem?

Yes; non-executable file type should not have it's execute bit set.  
Scripts and programs, yes, but not the .bak nor .txt or even the .db

Code accidentally or maliciously being entered would run.

Just my opinion,

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Thomas Eckardt/eck
In reply to this post by Doug Lytle
One question Doug,

There is a difference beween what assp requires to run and what seem to be fine for admins .
Some implementations are using external (r/w) access to files and folders - so I think, giving the group the same rights like the owner seems to be OK - however, this is not really required by assp.

        required        my sugg.        admins like
folders        0700                0770                0777 or 0775

files        0600                0660                0660 or 0666
exec's        0700                0760                0770 or 0750 or 755 or 775 or 0777

Is it OK to remove the public access for all assp components?
Or would it be better to leave the mask untouched, if the existing rights are more weak than required.


Thomas



Von:        Doug Lytle <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        05.02.2017 16:00
Betreff:        Re: [Assp-test] fixes in assp 2.5.6 build 17036




On 02/05/2017 09:50 AM, Thomas Eckardt wrote:
> At the end - is this really a problem?

Yes; non-executable file type should not have it's execute bit set.  
Scripts and programs, yes, but not the .bak nor .txt or even the .db

Code accidentally or maliciously being entered would run.

Just my opinion,

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Colin
Hi Thomas,

For my setup I would be fine with the the most strict setting. More security is walkways better. However, it can be standard practice to have monitoring or maintenance scripts access things with a different user in the same group.

We keep talking about having a web interface to things like the corpus for clients (business continuity in the event their server is offline). That would need access to some files a a different user but I wouldn't want to enable everyone permissions for the reasons asked cited - accidental or malicious code execution.

My local domains is also generated by an external script that needs access.

I would favour ASSP not altering permissions. If it did not have access to something it needs to run then exit with an error (mysql does this). If it thinks something has too many permissions then complain loudly about it & maybe provide the admin with the ability to specify file a list of files which ASSP will not complain about in case they really have a need to leave things less secure.

All the best,
Colin Waring

On 6 Feb 2017 7:24 a.m., "Thomas Eckardt" <[hidden email]> wrote:
One question Doug,

There is a difference beween what assp requires to run and what seem to be fine for admins .
Some implementations are using external (r/w) access to files and folders - so I think, giving the group the same rights like the owner seems to be OK - however, this is not really required by assp.

        required        my sugg.        admins like
folders        0700                0770                0777 or 0775

files        0600                0660                0660 or 0666
exec's        0700                0760                0770 or 0750 or 755 or 775 or 0777

Is it OK to remove the public access for all assp components?
Or would it be better to leave the mask untouched, if the existing rights are more weak than required.


Thomas



Von:        Doug Lytle <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        05.02.2017 16:00
Betreff:        Re: [Assp-test] fixes in assp 2.5.6 build 17036




On 02/05/2017 09:50 AM, Thomas Eckardt wrote:
> At the end - is this really a problem?

Yes; non-executable file type should not have it's execute bit set.  
Scripts and programs, yes, but not the .bak nor .txt or even the .db

Code accidentally or maliciously being entered would run.

Just my opinion,

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: fixes in assp 2.5.6 build 17036

Doug Lytle
On 02/06/2017 03:09 AM, cw wrote:
> I would favour ASSP not altering permissions.

I'm with Colin on this one,

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test