On Sun, 9 Feb 2014 15:47:59 +0100 Sven Vermeulen <[email protected]> wrote:
> After all, it might be as simple as:
>
> #v+
> use hardened && egroupadd sysfs <username>
> #v-
>
> if egroupadd would exist, that is. I haven't looked in detail at the
> user.eclass, but that would be all that is needed.
There's no egroupadd, but it's possible to specify additional groups in
a enewuser call. The eclass-less approach would therefore be:
pkg_setup() {
local hardened_group=""
if use hardened ; then
enewgroup sysfs
hardened_group=",sysfs"
fi
enewgroup pcscd
enewuser pcscd -1 -1 /run/pcscd pcscd${hardened_group}
}
However, the eclass would have the advantages:
* single point to rename group or use flag if neccessary
* ability to notify the user about the whole thing and ask him to add
proper mount options
If the eclass approach is accepted, I'd propose to name the eclass
"hardened-utils" - perhaps we need other small helper functions like
this one in the future.
> But again, I think this needs to stage a bit - document it on the
> wiki, test it out. See if applications still work if they are member
> of said group without that group being the primary group, etc.
I'll do that.
Regards,
Luis Ressel
signature.asc
Description: PGP signature
