Gentoo Archives: gentoo-dev

From: Ulrich Mueller <ulm@g.o>
To: Michael Orlitzky <mjo@g.o>
Cc: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] RFC: GLEP81 home directory guidelines
Date: Sat, 17 Aug 2019 08:35:47
In Reply to: [gentoo-dev] RFC: GLEP81 home directory guidelines by Michael Orlitzky
>>>>> On Sat, 17 Aug 2019, Michael Orlitzky wrote:
> 1 Avoid using an ACCT_USER_HOME that belongs to another package.
> 2 No two acct-user packages should define the same ACCT_USER_HOME.
These two points are not fulfilled by the users that currently belong to baselayout. For example, "operator" (and "toor" on BSD) share /root with the root user.
> 3 If your package's configuration needs <username> to be able to > write to e.g. /var/lib/<username>, then your package's ebuild should > create that directory and set its ownership and permissions. Barring > any other considerations, the corresponding acct-user package should > leave ACCT_USER_HOME at its default (empty) value; setting > ACCT_USER_HOME=/var/lib/<username> would violate item (1).
> 4 Each user's home directory should be writable by that user. If it > is not, that indicates that a shared and potentially sensitive > location was chosen; and the fact that the home directory is not > writable suggests that the default (empty) ACCT_USER_HOME would > suffice instead.
> 5 As a corollary of the previous item, it is highly suspicious for > an acct-user package to set ACCT_USER_HOME_OWNER="root:root".
Again, points 4 and 5 won't be true for several of baselayout's users. For example, "nobody" lives in /var/empty but cannot write to it, and that dir is owned by root. Same for the "sshd" user, which IIRC chroots to /var/empty, but must not (be able to) write to that dir.
> 6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS. > This would otherwise satisfy item (4), but should never be done for > security reasons.


File name MIME type
signature.asc application/pgp-signature