On Mon, Jul 15, 2013 at 11:25:39PM -0400, Ted Gould wrote: > On Mon, 2013-07-15 at 13:31 -0500, Jamie Strandboge wrote: > > On 07/13/2013 12:15 AM, Ted Gould wrote: > > > There should be two types of hooks, system and user. System hooks run as > > > the > > > click package user and are expected to do things that are system wide. > > > User > > > hooks run as the user installing the program and are meant to set up > > > items in > > > the user's individual home directory. (Q: Is the click package user > > > enough for > > > security? Do system hooks need to be root?) > > > > From a security point of view, we prefer the system click hooks to run with > > the > > least amount of privilege at all times, which is why we recommended a > > non-privileged click user. This is easy enough for things like unpacking and > > maintaining things in /opt/click.ubuntu.com/, but some hooks such as the the > > apparmor click hook will need to run as root for at least part of the time > > (eg > > to load apparmor policy into the kernel). > > Then do you expect the click installer to run as root? Or that the > apparmor hook would be setuid? How do you expect the permission > transitions to work?
click runs as root and drops privileges as appropriate. As for system hooks, how about we add a User field to the hook which specifies the user name they run as? That would save writing similar privilege-dropping code in multiple hooks. -- Colin Watson [[email protected]] -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
