On Wed, Jan 18, 2012 at 9:11 AM, Simon Josefsson <[email protected]> wrote:
...
> Thanks for help!  I'm not sure we need a group, typically these files
> are never written by the yhsm-ksmsrv process, only read.  So the user
> can use u=r permissions and root can put the files under some other
> group with write permissions?

I'm not sure how Debian defaults should be decided in a case like
this, but I think there is cause for groups.

For yubikey-ksm, we use a group shared with a provisioning system for
new AEAD files (credentials). We do not want to run that provisioning
system as root.

For yubikey-val, there is a SQLite database with OATH credentials. I
think it is quite possible that you would want to use for example a
web service to add records to this SQLite database. Again, running as
non-root so a shared group seems appropriate.

Of course, if adding groups is frowned upon, the package could add a
user without a group and this could be a manual step performed if
needed by the administrator.

> Perhaps we should also align the username with the directory basename in
> /var/cache?  It seems confusing to have the username be separate from
> the basename of the home directory.

... or maybe it is the directory names that should be aligned. I chose
the yhsm- usernames to make it more apparent which package installed
them. Maybe "yubikey-ksm" is more explanatory than "yhsm-ksmsrv"
though... I have no strong opinion either way.

> I don't see any need for a shell, right Fredrik?

No, that's probably an unfortunate remain from development when I
wanted to 'su' to the service user. Just figured out you could do
'sudo -u user bash' though, so I'll get by with fewer shells from here
on =).

/Fredrik



--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to