OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 13-Jan-2003 17:05:52
Branch: HEAD Handle: 2003011316055100
Modified files:
openpkg-web faq.wml
Log:
add user/group id stuff
Summary:
Revision Changes Path
1.19 +39 -1 openpkg-web/faq.wml
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/faq.wml
============================================================================
$ cvs diff -u -r1.18 -r1.19 faq.wml
--- openpkg-web/faq.wml 13 Jan 2003 14:34:38 -0000 1.18
+++ openpkg-web/faq.wml 13 Jan 2003 16:05:51 -0000 1.19
@@ -315,7 +315,7 @@
<faq id="num-pkgs"
title="Compared to the 7000 packages in FreeBSD and 9000 packages in Debian
GNU/Linux
- the 400 packages OpenPKG provides look rather tiny?">
+ the 450 packages OpenPKG provides look rather tiny?">
If you compare just the number of packages, this is correct.
But you are comparing apples with pears here, because:
<p>
@@ -406,6 +406,44 @@
For building the "<tt>openpkg-*.src.sh</tt>" file, compress(1) is
still required. But this build step is a developer only step where
the extra installation of compress(1) is accepted.
+</faq>
+
+<faq id="uid-security"
+ title="What is the fuzz about those multiple user/group ids in OpenPKG?">
+ Since OpenPKG 1.1 the bootstrapping package ("openpkg") requires
+ four distinct Unix user/group id pairs:
+ <p>
+<pre>
+Name Option RPM-Macro Default Example Files Proc.
+---------------- ------ --------- ------------- ------- ----- -----
+super user --susr %{l_susr} root root some some
+super group --sgrp %{l_sgrp} groupof(susr) wheel some some
+managing user --musr %{l_musr} <user> opkg most none
+managing group --mgrp %{l_mgrp} <group> opkg most none
+restricted user --rusr %{l_rusr} <user>-r opkg-r some some
+restricted group --rgrp %{l_rgrp} <group>-r opkg-r some some
+nobody user --nusr %{l_nusr} <user>-n opkg-n none most
+nobody group --ngrp %{l_ngrp} <group>-n opkg-n none most
+</pre>
+ <p>
+ The default values are derived from the options
+ <tt>--user=<user></tt> and <tt>--group=<group></tt>
+ on the command line of <tt>openpkg-*.src.sh</tt>. For instance,
+ the "Example" values above are used achieved with <tt>--user=opkg
+ --group=opkg</tt>. In case of a non-priviledged OpenPKG instance,
+ the {mrn}{usr,grp} are usually identical.
+ <p>
+ For security reasons it is important to treat at least the "managing
+ user/group" equal to the "super user/group", similar to what has
+ to be done with the usual Unix "root" and "bin" user/group ids.
+ The reason mainly is that the "super user/group" executes files
+ intentionally owned by the "managing user/group".
+ <p>
+ Similarily the "restricted user/group" and "nobody user/group"
+ have to be treated like the usual Unix user/group id "nobody" with
+ the addition that the OpenPKG "restricted user/group" has little
+ bit more priviledges than the "nobody user/group" because (mostly
+ generated) files are also owned by him.
</faq>
</ol>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
