FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux User Repository

 
 
LinkBack Thread Tools
 
Old 07-16-2010, 01:37 PM
Christian Himpel
 
Default any rules for groupadd in .install files?

hi,

it happens that i'm the current maintainer of the go-hg[1] package in aur.

currently the package installs in /opt/go. go has nice support for
installing third-party packages (goinstall), but it's a security risk
for people to goinstall these third-party libraries as root.
installing the gofiles with group 'go' and setting sgid bit for all
(or only affected) directories this security flaw could be avoided (or
at least reduced).

so my question is: are there any rules or policies for packages, that
call groupadd in the .install files?

i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
somewhere a list with `available' gids?

do you have any other/better idea how to face the problem?

thank you very much in advance!

cheers,
chressie

[1]: http://aur.archlinux.org/packages.php?ID=33695
 
Old 07-16-2010, 01:43 PM
Ionuț Bîru
 
Default any rules for groupadd in .install files?

On 07/16/2010 04:37 PM, Christian Himpel wrote:

hi,

it happens that i'm the current maintainer of the go-hg[1] package in aur.

currently the package installs in /opt/go. go has nice support for
installing third-party packages (goinstall), but it's a security risk
for people to goinstall these third-party libraries as root.
installing the gofiles with group 'go' and setting sgid bit for all
(or only affected) directories this security flaw could be avoided (or
at least reduced).

so my question is: are there any rules or policies for packages, that
call groupadd in the .install files?

i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
somewhere a list with `available' gids?

do you have any other/better idea how to face the problem?

thank you very much in advance!

cheers,
chressie

[1]: http://aur.archlinux.org/packages.php?ID=33695


for aur builds you should use groupadd --system and avoid statically gid

--
Ionuț
 
Old 07-16-2010, 01:51 PM
jwbirdsong
 
Default any rules for groupadd in .install files?

On 07/16/2010 07:37 AM, Christian Himpel wrote:
> hi,
>
> it happens that i'm the current maintainer of the go-hg[1] package in aur.
>
> currently the package installs in /opt/go. go has nice support for
> installing third-party packages (goinstall), but it's a security risk
> for people to goinstall these third-party libraries as root.
> installing the gofiles with group 'go' and setting sgid bit for all
> (or only affected) directories this security flaw could be avoided (or
> at least reduced).
>
> so my question is: are there any rules or policies for packages, that
> call groupadd in the .install files?
>
> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
> somewhere a list with `available' gids?
>
> do you have any other/better idea how to face the problem?
>
> thank you very much in advance!
>
> cheers,
> chressie
>
> [1]: http://aur.archlinux.org/packages.php?ID=33695
>
There is a list of current gid kep on the wiki
http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
Also search the arch-gen and arch-dev-public ML. There was some
discussion on one of them maybe 2-3 month ago
 
Old 07-16-2010, 02:57 PM
Christian Himpel
 
Default any rules for groupadd in .install files?

On Fri, Jul 16, 2010 at 3:51 PM, jwbirdsong
<jwbirdsong@jwbirdsong.homelinux.com> wrote:
> On 07/16/2010 07:37 AM, Christian Himpel wrote:
>> hi,
>>
>> it happens that i'm the current maintainer of the go-hg[1] package in aur.
>>
>> currently the package installs in /opt/go. go has nice support for
>> installing third-party packages (goinstall), but it's a security risk
>> for people to goinstall these third-party libraries as root.
>> installing the gofiles with group 'go' and setting sgid bit for all
>> (or only affected) directories this security flaw could be avoided (or
>> at least reduced).
>>
>> so my question is: are there any rules or policies for packages, that
>> call groupadd in the .install files?
>>
>> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
>> somewhere a list with `available' gids?
>>
>> do you have any other/better idea how to face the problem?
>>
>> thank you very much in advance!
>>
>> cheers,
>> chressie
>>
>> [1]: http://aur.archlinux.org/packages.php?ID=33695
>>
> There is a list of current gid kep on the wiki
> http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
> Also search the arch-gen and arch-dev-public ML. There was some
> discussion on one of them maybe 2-3 month ago
>

thanks for your answers, i am going to look for the threads.

meanwhile i go for ionuțs solution using groupadd --system

cheers,
chressie
 

Thread Tools




All times are GMT. The time now is 10:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org