On Fri, Jan 24, 2003 at 10:11:52AM +0100, Ralf S. Engelschall wrote:
>On Fri, Jan 24, 2003, [EMAIL PROTECTED] wrote:
>
>> while beeing a nice idea I am not 100% convinced that introducing the
>> three openpkg users gains much more than it costs.
>
...
>> Especially when using openpkg to employ deamons (like apache, postfix,...)
>> it starts to become an annoyance to have the special openpkg users.
>> (Without root permissions it is difficult to give the directories correct
>> ownership when installing an openpkg rpm)
>
>That's the reason why the _general_ rule in OpenPKG is: build as the
>management user (%{l_musr}, in your case "cw") and install as the super
>user (%{l_susr}, in usually all cases "root"). But this has nothing
>to do with the extra restricted and nobody user/group ids. This is
>just inherently necessary because daemons have setuid and other stuff
>which just require super user priviledges. So, sure, for things like
>Postfix it is _always_ necessary to install as root to result in correct
>ownerships, etc.
Wouldn't it then make sense with these general rules to have the
%{l_prefix}/RPM/{SRC,TMP,PKG} directories owned by %{l_musr},%{l_mgrp} and
everything else by %{l_susr},%{l_sgrp}? As it is now with the default
ownership of the openpkg hierarchy the management user, developers can
write into the installation areas, accidentally nuking things just as in
the traditional RPM environment when everybody builds a root.
I've found some interesting bugs in my old RPM spec files while converting
to openpkg where I've changed things in the underlying system accidentally.
On the other hand, I've missed a few where I was able to write into the
openpkg working (install destination) directories while building as the
management user.
This ties back to my question last week about the security implications of
running package rc.%{name} files which are writeable by users other than
root. If the working directories are owned by %{l_susr} (defaulting to
root), this goes a long way towards securing these scripts. A further step
would be for the etc/rc script to check the ownership of any files, and
their directory components running with root priviledges to insure that
they're only writeable by %{l_susr}.
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc.
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``We believe...that a mugger will kill you in the half-second it takes to
draw from the holster, but won't harm you while you dial the police on your
cell phone, talk to the dispatcher and wait half an hour for officers to
arrive.'' -- Gun-Control Net-work Credo
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List [EMAIL PROTECTED]
