Though, reading the implementation…
1. I’m not convicned the database files should be writable by the osquery group
2. umask in the init script feels weird. Can we do this in the code?
t
theopolis
02/28/2020, 3:32 PM
Yes we can implement the umasking-behavior in code but it seems OK that it's in the systemd unit. Perhaps the only issue is the init script?
What about the next thing? It feels like it’s adding some logic to the start script. which feels weird.
It also means that the socket and the db files have the same meaning
t
theopolis
02/28/2020, 3:33 PM
expected = a thing that happens maybe
theopolis
02/28/2020, 3:33 PM
there's no permissions boundary between socket and db so thats OK
s
seph
02/28/2020, 3:34 PM
This is all a weak objection. If people would rather have osquery just respect umask, I’m super opposed. Mostly just feels weird.
t
theopolis
02/28/2020, 3:37 PM
If people would rather have osquery just respect umask, I’m super opposed.
theopolis
02/28/2020, 3:37 PM
what do you mean?
s
seph
02/28/2020, 3:37 PM
Exactly the opposite. Clearly too distracted. If people want to just respect umask. I’m onboard.
t
theopolis
02/28/2020, 3:38 PM
ah ok 🙂
theopolis
02/28/2020, 3:40 PM
I'll just escalate the code review to #CBLGAN1HD ;)
s
seph
02/28/2020, 3:42 PM
FYI you want @-here, @-channel gets idle people too.