From Fedora Project Wiki
(Created page with "=== File Permissions === Permissions on files must be set properly. Inside of /usr, files should be owned by root:root unless a more specific user or group is needed for secu...")
 
 
Line 1: Line 1:
 
=== File Permissions ===
 
=== File Permissions ===
  
Permissions on files must be set properly. Inside of /usr, files should be owned by root:root unless a more specific user or group is needed for security . They must be universally readable (and executable if appropriate). Outside of /usr, non-config and non-state files should be owned by root:root, universally readable (and executable if appropriate) unless circumstances require otherwise.
+
Permissions on files MUST be set properly. Inside of /usr, files should be owned by root:root unless a more specific user or group is needed for security . They MUST be universally readable (and executable if appropriate). Outside of /usr, non-config and non-state files SHOULD be owned by root:root, universally readable (and executable if appropriate) unless circumstances require otherwise.
  
Default file mode is 0644 or 0755. Directories should be mode 0755. Most well behaved build scripts and rpm will use these defaults. If the directory needs to be group writable, it should also have the setgid bit set so that files written there are owned by that group. These directories should have mode 2775.
+
The default file mode is 0644 or 0755. Directories SHOULD be mode 0755. Most well behaved build scripts and rpm will use these defaults. If the directory needs to be group writable, it SHOULD also have the setgid bit set so that files written there are owned by that group. These directories SHOULD have mode 2775.
  
Deviations from the default ownership or mode must be justified and documented in the specfile.
+
The <code>%defattr</code> directive in the %files list SHOULD ONLY be used when setting a non-default value, or to reset to the default value after having set a non-default value.
 
 
In the past (pre rpm 4.4), it was necessary to have a <code>%defattr</code> section at the beginning of each <code>%files</code> section, but this is now the default and no longer necessary to explicitly include.
 

Latest revision as of 16:36, 3 October 2016

File Permissions

Permissions on files MUST be set properly. Inside of /usr, files should be owned by root:root unless a more specific user or group is needed for security . They MUST be universally readable (and executable if appropriate). Outside of /usr, non-config and non-state files SHOULD be owned by root:root, universally readable (and executable if appropriate) unless circumstances require otherwise.

The default file mode is 0644 or 0755. Directories SHOULD be mode 0755. Most well behaved build scripts and rpm will use these defaults. If the directory needs to be group writable, it SHOULD also have the setgid bit set so that files written there are owned by that group. These directories SHOULD have mode 2775.

The %defattr directive in the %files list SHOULD ONLY be used when setting a non-default value, or to reset to the default value after having set a non-default value.