Michael, thanks for the work-around. On Thu, Nov 14, 2024 at 20:08:39 +0000, Simon McVittie wrote: > setfacl -m group:staff:r-x /etc/polkit-1/rules.d > setfacl -m user:michael:r-x /etc/polkit-1/rules.d > > which I believe neither dpkg nor systemd-tmpfiles will interfere with.
That was the first thing I tried, long ago; the access control lists get deleted. > The big advantage of the increasingly mis-named tmpfiles.d is that it's > declarative, unlike maintainer scripts, which are imperative code that > can in principle do absolutely anything, and as a result is difficult > to analyze or reason about. Out of curiosity, how do we tell whether it's mis-named or is just being increasingly mis-used? I like the idea of Debian packages being more declarative, but it seems like something that ought to be handled by dpkg, which could maybe do a better job of respecting areas such as /etc that are meant to be mostly under administrator control (for example, when I've changed a file, I'm prompted about whether to replace it with a new version). A similar problem came up recently in Debian bug #1074076. The file(s) can't be initially installed with proper ownership, because the owner is a dynamic user and may not exist yet; so the postinst script needed to run "adduser" and "chown", but it'd be nicer to do both declaratively. (It was also noted that checking dpkg-statoverride is a hack.) > if the upstream- or distro-provided permissions *changed*, that change > would not be reflected on existing systems (unless applied redundantly > by imperative code in the maintainer script), and that's maybe bad. I think all that matters for your stated goal is that the directory is not world-accessible when created. Even that doesn't really matter till an administrator starts to change settings there; the installed list of packages, and their default rules, are publically available. -- Michael
signature.asc
Description: PGP signature
_______________________________________________ Pkg-utopia-maintainers mailing list Pkg-utopia-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers