1 |
>>>>> On Sat, 17 Aug 2019, Michael Orlitzky wrote: |
2 |
|
3 |
> 1 Avoid using an ACCT_USER_HOME that belongs to another package. |
4 |
|
5 |
> 2 No two acct-user packages should define the same ACCT_USER_HOME. |
6 |
|
7 |
These two points are not fulfilled by the users that currently belong |
8 |
to baselayout. For example, "operator" (and "toor" on BSD) share /root |
9 |
with the root user. |
10 |
|
11 |
> 3 If your package's configuration needs <username> to be able to |
12 |
> write to e.g. /var/lib/<username>, then your package's ebuild should |
13 |
> create that directory and set its ownership and permissions. Barring |
14 |
> any other considerations, the corresponding acct-user package should |
15 |
> leave ACCT_USER_HOME at its default (empty) value; setting |
16 |
> ACCT_USER_HOME=/var/lib/<username> would violate item (1). |
17 |
|
18 |
> 4 Each user's home directory should be writable by that user. If it |
19 |
> is not, that indicates that a shared and potentially sensitive |
20 |
> location was chosen; and the fact that the home directory is not |
21 |
> writable suggests that the default (empty) ACCT_USER_HOME would |
22 |
> suffice instead. |
23 |
|
24 |
> 5 As a corollary of the previous item, it is highly suspicious for |
25 |
> an acct-user package to set ACCT_USER_HOME_OWNER="root:root". |
26 |
|
27 |
Again, points 4 and 5 won't be true for several of baselayout's users. |
28 |
For example, "nobody" lives in /var/empty but cannot write to it, and |
29 |
that dir is owned by root. |
30 |
|
31 |
Same for the "sshd" user, which IIRC chroots to /var/empty, but must |
32 |
not (be able to) write to that dir. |
33 |
|
34 |
> 6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS. |
35 |
> This would otherwise satisfy item (4), but should never be done for |
36 |
> security reasons. |