| 1 |
>>>>> On Sat, 17 Aug 2019, Michael Orlitzky wrote: |
| 2 |
|
| 3 |
> 1 Avoid using an ACCT_USER_HOME that belongs to another package. |
| 4 |
|
| 5 |
> 2 No two acct-user packages should define the same ACCT_USER_HOME. |
| 6 |
|
| 7 |
These two points are not fulfilled by the users that currently belong |
| 8 |
to baselayout. For example, "operator" (and "toor" on BSD) share /root |
| 9 |
with the root user. |
| 10 |
|
| 11 |
> 3 If your package's configuration needs <username> to be able to |
| 12 |
> write to e.g. /var/lib/<username>, then your package's ebuild should |
| 13 |
> create that directory and set its ownership and permissions. Barring |
| 14 |
> any other considerations, the corresponding acct-user package should |
| 15 |
> leave ACCT_USER_HOME at its default (empty) value; setting |
| 16 |
> ACCT_USER_HOME=/var/lib/<username> would violate item (1). |
| 17 |
|
| 18 |
> 4 Each user's home directory should be writable by that user. If it |
| 19 |
> is not, that indicates that a shared and potentially sensitive |
| 20 |
> location was chosen; and the fact that the home directory is not |
| 21 |
> writable suggests that the default (empty) ACCT_USER_HOME would |
| 22 |
> suffice instead. |
| 23 |
|
| 24 |
> 5 As a corollary of the previous item, it is highly suspicious for |
| 25 |
> an acct-user package to set ACCT_USER_HOME_OWNER="root:root". |
| 26 |
|
| 27 |
Again, points 4 and 5 won't be true for several of baselayout's users. |
| 28 |
For example, "nobody" lives in /var/empty but cannot write to it, and |
| 29 |
that dir is owned by root. |
| 30 |
|
| 31 |
Same for the "sshd" user, which IIRC chroots to /var/empty, but must |
| 32 |
not (be able to) write to that dir. |
| 33 |
|
| 34 |
> 6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS. |
| 35 |
> This would otherwise satisfy item (4), but should never be done for |
| 36 |
> security reasons. |
Archives