any rules for groupadd in .install files?
hi,
it happens that i'm the current maintainer of the go-hg[1] package in aur. currently the package installs in /opt/go. go has nice support for installing third-party packages (goinstall), but it's a security risk for people to goinstall these third-party libraries as root. installing the gofiles with group 'go' and setting sgid bit for all (or only affected) directories this security flaw could be avoided (or at least reduced). so my question is: are there any rules or policies for packages, that call groupadd in the .install files? i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there somewhere a list with `available' gids? do you have any other/better idea how to face the problem? thank you very much in advance! cheers, chressie [1]: http://aur.archlinux.org/packages.php?ID=33695 |
any rules for groupadd in .install files?
On 07/16/2010 04:37 PM, Christian Himpel wrote:
hi, it happens that i'm the current maintainer of the go-hg[1] package in aur. currently the package installs in /opt/go. go has nice support for installing third-party packages (goinstall), but it's a security risk for people to goinstall these third-party libraries as root. installing the gofiles with group 'go' and setting sgid bit for all (or only affected) directories this security flaw could be avoided (or at least reduced). so my question is: are there any rules or policies for packages, that call groupadd in the .install files? i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there somewhere a list with `available' gids? do you have any other/better idea how to face the problem? thank you very much in advance! cheers, chressie [1]: http://aur.archlinux.org/packages.php?ID=33695 for aur builds you should use groupadd --system and avoid statically gid -- Ionuț |
any rules for groupadd in .install files?
On 07/16/2010 07:37 AM, Christian Himpel wrote:
> hi, > > it happens that i'm the current maintainer of the go-hg[1] package in aur. > > currently the package installs in /opt/go. go has nice support for > installing third-party packages (goinstall), but it's a security risk > for people to goinstall these third-party libraries as root. > installing the gofiles with group 'go' and setting sgid bit for all > (or only affected) directories this security flaw could be avoided (or > at least reduced). > > so my question is: are there any rules or policies for packages, that > call groupadd in the .install files? > > i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there > somewhere a list with `available' gids? > > do you have any other/better idea how to face the problem? > > thank you very much in advance! > > cheers, > chressie > > [1]: http://aur.archlinux.org/packages.php?ID=33695 > There is a list of current gid kep on the wiki http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database Also search the arch-gen and arch-dev-public ML. There was some discussion on one of them maybe 2-3 month ago |
any rules for groupadd in .install files?
On Fri, Jul 16, 2010 at 3:51 PM, jwbirdsong
<jwbirdsong@jwbirdsong.homelinux.com> wrote: > On 07/16/2010 07:37 AM, Christian Himpel wrote: >> hi, >> >> it happens that i'm the current maintainer of the go-hg[1] package in aur. >> >> currently the package installs in /opt/go. go has nice support for >> installing third-party packages (goinstall), but it's a security risk >> for people to goinstall these third-party libraries as root. >> installing the gofiles with group 'go' and setting sgid bit for all >> (or only affected) directories this security flaw could be avoided (or >> at least reduced). >> >> so my question is: are there any rules or policies for packages, that >> call groupadd in the .install files? >> >> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there >> somewhere a list with `available' gids? >> >> do you have any other/better idea how to face the problem? >> >> thank you very much in advance! >> >> cheers, >> chressie >> >> [1]: http://aur.archlinux.org/packages.php?ID=33695 >> > There is a list of current gid kep on the wiki > http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database > Also search the arch-gen and arch-dev-public ML. There was some > discussion on one of them maybe 2-3 month ago > thanks for your answers, i am going to look for the threads. meanwhile i go for ionuțs solution using groupadd --system cheers, chressie |
| All times are GMT. The time now is 03:20 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.