Hi Alan,
thanks for the more detailed explanation.
On Sun, Aug 29, 2010 at 05:38:06PM -0400, Alan O'Neill wrote:
> Hi Andreas,
>
> To explain further about the directory permission thing, when I built
> the Debian package, I started by running GT.M's 'config' script,
> installing GT.M into the directory /usr/lib/fis-gtm/V5.4-000A_x86. I
> answered the installation questions as follows:
>
> File owner: bin
Because I was not sure about the system user bin myself I asked on
debian-mentors list. I'm hereby quoting the answer[1]:
HELP: No files on my system are owned by user or group bin. What
good are they? Historically they were probably the owners of
binaries in /bin? It is not mentioned in the FHS, Debian Policy, or
the changelogs of base-passwd or base-files.
LSB 1.3 lists bin as legacy, and says: "The 'bin' UID/GID is
included for compatibility with legacy applications. New
applications should no longer use the 'bin' UID/GID."
The Debian Policy Manual also includes a statement about file
permissions and owners in section 10.9:
Files should be owned by root:root, and made writable only by the
owner and universally readable (and executable, if appropriate),
that is mode 644 or 755.
Directories should be mode 755 or (for group-writability) mode
2775. The ownership of the directory should be consistent with its
mode: if a directory is mode 2775, it should be owned by the group
that needs write access to it.
Following this advise I would recommend instead of using user bin
just to create a new system user via
adduser --system gtm
(or some more reasonable user name) and use this one in the installation
questions.
>
> Unicode support: yes
> ICU version: 4.2
> Lower case versions of MUMPS routines: no
>
> The config script sets up the the following directories with 'r-xr-xr-x'
> (i.e. not writable) permissions:
>
> - V5.4-000A_x86
> - V5.4-000A_x86/utf8
> - V5.4-000A_x86/plugin
> - V5.4-000A_x86/plugin/gtmcrypt
> - V5.4-000A_x86/plugin/gtmcrypt/utf8
>
> Additionally, some of these directories contain symbolic links. If I
> build the Debian package and maintain the non-writable permissions on
> the directories, when someone wishes to extract the package (dpkg -x)
> without root privileges,
Do you have any practically relevant case in mind why someone without
root privileges should wish to extract the content of the package
manually?
> they get errors because the directories do not
> have write permission. So what I did was change the permissions on
> these directories to rwxr-xr-x in the Debian package. When the actual
> install occurs, the 'postinst' script does a chmod to put the
> permissions on these directories back to r-xr-xr-x. I took this step
> because Bhaskar had requested that the package be extractable without
> root privileges.
Bhaskar, could you please elaborate more detailed on this requirement?
Perhaps there is another solution for this instead of playing around
with permissions in an unusual way.
> You mentioned that I should not rely on the user ID of any user. I was
> concerned about that too, which is why I placed the two following
> commands at the end of the postinst script:
>
> chown -R --from=0:2 root:$owner "$version"
> chown -R --from=2:2 $owner:$owner "$version"
>
> On my system, the value of '2' is assigned to user bin and the value of
> '0' is assigned to root. (I suspect root is always assigned the value
> of zero, but just in case... :) This way, I ensure that the ownership
> is correct, regardless of the value assigned by a particular system.
If I'm not missleaded only the UID 0 has a special meaning and enables
the user with this ID to superuser powers. *Usually* (but not
necessarily) this user is called root. (IMHO, you can give this user
any name, only the UID is checked - but that's an academical issue). To
my knowledge no other UIDs are guaranteed to have any special meaning
and as written above the use of user name bin is deprecated.
> Regarding 'svn://svn.debian.org/svn/debian-med/trunk/packages/gtm/trunk'
> and the GT.M scripts that I referenced, I wasn't trying to get into too
> much detail about them right now. (I wouldn't mind doing it, but I
> didn't want to muddy the waters.) I was just wondering whether everyone
> was okay with the idea of using update-alternatives to link the Fidelity
> supplied script of '/usr/lib/fis-gtm/V5.4-000A_x86/gtm' to the name
> 'gtm-su' (instead of simply 'gtm').
I personally have no problem with gtm-su. It is just a name and if you
regard it as useful it is fine for me.
> My thought is that since the
> Fidelity supplied script named 'gtm' uses a database that is in the
> user's home directory, it's more similar to a single-user version of
> GT.M (i.e., if the system is setup so different users cannot access each
> others home directory, then effectively GT.M becomes single user). So I
> thought it might be good to rename that script, so to speak, as "gtm-su"
> (single user) and then later publish a script called "gtm" that allows
> users to enter a specific GT.M environment that is accessible to
> multiple users.
Reading this the name sounds reasonable choosen even if I do not finally
understand this signle-/multi- user issue.
> I definitely agree that it's tough with just the postinst script. I'd
> be happy to share more, but I need some help on that front.
> Specifically, I'm wondering what is th
At first you need to ask for a guest account on alioth.debian.org
(development machine for Debian developers) and once you have created
this you should ask for beeing added to the Debian Med project. This
will grant you commit permissions to the SVN mentioned above.
Interesting readings are:
1. Debian Med policy document:
http://debian-med.alioth.debian.org/docs/policy.html
2. Handling of SSH keays on Alioth
http://wiki.debian.org/Alioth/SSH
(provides a problem - solution scenario for the most frequent
problems in accessing Alioth
3. Access of SVN on Alioth
http://wiki.debian.org/Alioth/Svn
alternatively Git (in case you prefer Git over SVN)
http://wiki.debian.org/Alioth/Git
> Thanks much for your thoughtful response. I look forward to hearing
> from you again soon.
Thanks for your work on this
Andreas.
[1] http://lists.debian.org/debian-mentors/2010/08/msg00340.html
--
http://fam-tille.de
--
To UNSUBSCRIBE, email to debian-med-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100830100105.ga28...@an3as.eu
