Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux User Repository (http://www.linux-archive.org/archlinux-user-repository/)
-   -   any rules for groupadd in .install files? (http://www.linux-archive.org/archlinux-user-repository/400174-any-rules-groupadd-install-files.html)

Christian Himpel 07-16-2010 01:37 PM

any rules for groupadd in .install files?
 
hi,

it happens that i'm the current maintainer of the go-hg[1] package in aur.

currently the package installs in /opt/go. go has nice support for
installing third-party packages (goinstall), but it's a security risk
for people to goinstall these third-party libraries as root.
installing the gofiles with group 'go' and setting sgid bit for all
(or only affected) directories this security flaw could be avoided (or
at least reduced).

so my question is: are there any rules or policies for packages, that
call groupadd in the .install files?

i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
somewhere a list with `available' gids?

do you have any other/better idea how to face the problem?

thank you very much in advance!

cheers,
chressie

[1]: http://aur.archlinux.org/packages.php?ID=33695

Ionuț Bîru 07-16-2010 01:43 PM

any rules for groupadd in .install files?
 
On 07/16/2010 04:37 PM, Christian Himpel wrote:

hi,

it happens that i'm the current maintainer of the go-hg[1] package in aur.

currently the package installs in /opt/go. go has nice support for
installing third-party packages (goinstall), but it's a security risk
for people to goinstall these third-party libraries as root.
installing the gofiles with group 'go' and setting sgid bit for all
(or only affected) directories this security flaw could be avoided (or
at least reduced).

so my question is: are there any rules or policies for packages, that
call groupadd in the .install files?

i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
somewhere a list with `available' gids?

do you have any other/better idea how to face the problem?

thank you very much in advance!

cheers,
chressie

[1]: http://aur.archlinux.org/packages.php?ID=33695


for aur builds you should use groupadd --system and avoid statically gid

--
Ionuț

jwbirdsong 07-16-2010 01:51 PM

any rules for groupadd in .install files?
 
On 07/16/2010 07:37 AM, Christian Himpel wrote:
> hi,
>
> it happens that i'm the current maintainer of the go-hg[1] package in aur.
>
> currently the package installs in /opt/go. go has nice support for
> installing third-party packages (goinstall), but it's a security risk
> for people to goinstall these third-party libraries as root.
> installing the gofiles with group 'go' and setting sgid bit for all
> (or only affected) directories this security flaw could be avoided (or
> at least reduced).
>
> so my question is: are there any rules or policies for packages, that
> call groupadd in the .install files?
>
> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
> somewhere a list with `available' gids?
>
> do you have any other/better idea how to face the problem?
>
> thank you very much in advance!
>
> cheers,
> chressie
>
> [1]: http://aur.archlinux.org/packages.php?ID=33695
>
There is a list of current gid kep on the wiki
http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
Also search the arch-gen and arch-dev-public ML. There was some
discussion on one of them maybe 2-3 month ago

Christian Himpel 07-16-2010 02:57 PM

any rules for groupadd in .install files?
 
On Fri, Jul 16, 2010 at 3:51 PM, jwbirdsong
<jwbirdsong@jwbirdsong.homelinux.com> wrote:
> On 07/16/2010 07:37 AM, Christian Himpel wrote:
>> hi,
>>
>> it happens that i'm the current maintainer of the go-hg[1] package in aur.
>>
>> currently the package installs in /opt/go. go has nice support for
>> installing third-party packages (goinstall), but it's a security risk
>> for people to goinstall these third-party libraries as root.
>> installing the gofiles with group 'go' and setting sgid bit for all
>> (or only affected) directories this security flaw could be avoided (or
>> at least reduced).
>>
>> so my question is: are there any rules or policies for packages, that
>> call groupadd in the .install files?
>>
>> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
>> somewhere a list with `available' gids?
>>
>> do you have any other/better idea how to face the problem?
>>
>> thank you very much in advance!
>>
>> cheers,
>> chressie
>>
>> [1]: http://aur.archlinux.org/packages.php?ID=33695
>>
> There is a list of current gid kep on the wiki
> http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
> Also search the arch-gen and arch-dev-public ML. There was some
> discussion on one of them maybe 2-3 month ago
>

thanks for your answers, i am going to look for the threads.

meanwhile i go for ionuțs solution using groupadd --system

cheers,
chressie


All times are GMT. The time now is 10:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.