Michael, thanks for the work-around.

On Thu, Nov 14, 2024 at 20:08:39 +0000, Simon McVittie wrote:
>     setfacl -m group:staff:r-x /etc/polkit-1/rules.d
>     setfacl -m user:michael:r-x /etc/polkit-1/rules.d
> 
> which I believe neither dpkg nor systemd-tmpfiles will interfere with.

That was the first thing I tried, long ago; the access control lists get
deleted.

> The big advantage of the increasingly mis-named tmpfiles.d is that it's
> declarative, unlike maintainer scripts, which are imperative code that
> can in principle do absolutely anything, and as a result is difficult
> to analyze or reason about.

Out of curiosity, how do we tell whether it's mis-named or is just being
increasingly mis-used?

I like the idea of Debian packages being more declarative, but it seems
like something that ought to be handled by dpkg, which could maybe do a
better job of respecting areas such as /etc that are meant to be mostly
under administrator control (for example, when I've changed a file, I'm
prompted about whether to replace it with a new version).

A similar problem came up recently in Debian bug #1074076.  The file(s)
can't be initially installed with proper ownership, because the owner is
a dynamic user and may not exist yet; so the postinst script needed to
run "adduser" and "chown", but it'd be nicer to do both declaratively.
(It was also noted that checking dpkg-statoverride is a hack.)

> if the upstream- or distro-provided permissions *changed*, that change
> would not be reflected on existing systems (unless applied redundantly
> by imperative code in the maintainer script), and that's maybe bad.

I think all that matters for your stated goal is that the directory is
not world-accessible when created.  Even that doesn't really matter till
an administrator starts to change settings there; the installed list of
packages, and their default rules, are publically available.

-- Michael

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Pkg-utopia-maintainers mailing list
Pkg-utopia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers

Reply via email to