On Fri, Jul 16, 2010 at 3:51 PM, jwbirdsong <[email protected]> wrote: > On 07/16/2010 07:37 AM, Christian Himpel wrote: >> hi, >> >> it happens that i'm the current maintainer of the go-hg[1] package in aur. >> >> currently the package installs in /opt/go. go has nice support for >> installing third-party packages (goinstall), but it's a security risk >> for people to goinstall these third-party libraries as root. >> installing the gofiles with group 'go' and setting sgid bit for all >> (or only affected) directories this security flaw could be avoided (or >> at least reduced). >> >> so my question is: are there any rules or policies for packages, that >> call groupadd in the .install files? >> >> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there >> somewhere a list with `available' gids? >> >> do you have any other/better idea how to face the problem? >> >> thank you very much in advance! >> >> cheers, >> chressie >> >> [1]: http://aur.archlinux.org/packages.php?ID=33695 >> > There is a list of current gid kep on the wiki > http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database > Also search the arch-gen and arch-dev-public ML. There was some > discussion on one of them maybe 2-3 month ago >
thanks for your answers, i am going to look for the threads. meanwhile i go for ionuțs solution using groupadd --system cheers, chressie
