On Mon, Jan 13, 2003 at 05:16:58PM +0100, Ralf S. Engelschall wrote: ... >The general issue with the four user/group ids in OpenPKG I've now >tried to document at http://www.openpkg.org/faq.html#uid-security > >The situation you mention is correct: someone with management user/group >(owner of your OpenPKG instance you specified with --user/--group) >access can reach super user/group access through manipulations of rc >files. But this is similar to the situation of "bin" and "root" in your >Unix system. Because even if the rc files and the rc script itself is >owned and writeable only by "root", this still does not change any >security here. Because the scripts theirself execute files in your >OpenPKG instance and those are owned by the managment user/group ids, >too. Same for your Unix system: if someone is able to reach "bin" he >just needs to change some system commands and wait for the next system >cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management >user/group equal to "root" when it comes to security.
May I suggest that this would be a bit clearer with some more meaningful names, and roles. I'm still not absolutely clear about the use of the opkg-n user. opkg This is the use/group set that would be used by normal users on the system, and the top level directory would have the appropriate permissions for their use. As an example, if the package were accounting related data that should only be accessible from the accounting group, the top level directory might have 750 permissions restricting access to people in that group. This group would only have write access in the appropriate data areas necessary to run the software. opkg-root This is the manager with full read/write permissions throughout the opkg tree. opkg-devel Developer access which would have read/write access to everything under the %{l_prefix}/RPM tree except for %{l_prefix}/RPM/DB where they would only have read access. The actual user names should probably be opkgroot and opkgdev to prevent problems with user names > 8 characters long. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The best we can hope for concerning the people at large is that they be properly armed.'' -- Alexander Hamilton, The Federalist Papers at 184-188 ______________________________________________________________________ The OpenPKG Project www.openpkg.org Developer Communication List [EMAIL PROTECTED]