Gentoo Archives: gentoo-dev

From: Michael Orlitzky <mjo@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] RFC: GLEP81 home directory guidelines
Date: Fri, 16 Aug 2019 22:40:53
Message-Id: 1a2868d7-bd4b-cd8c-b51e-6fe994057540@gentoo.org
Pending https://github.com/gentoo/devmanual.gentoo.org/pull/99, I'd like
to get something like this written down.

Please give it a quick read and see if it makes sense, or if I've
overlooked anything. Most of these would just be suggestions, to be
implemented as post-install QA checks or repoman warnings.


== Choosing a home directory ==

GLEP81 changed two aspects of user management:

  1 Creating a user can now modify the permissions on an existing
    directory. Should the need arise, this is necessary for a new
    version of an acct-user package to be able to fix the ownership
    and permissions of its home directory

  2 All user data aside from the username became non-local to ebuilds
    that depend on that user. This is merely a side-effect of moving
    the user creation out of the client package, and into a separate
    acct-user package.

The first item means that you should be conservative when choosing a
home directory. If at all possible, avoid choosing a home directory
that is used by another package. In particular, no two acct-user
packages should use the same home directory. At best, the ownership
and permissions on a shared home directory would need to be kept
synchronized between all packages that share it. At worst, if one
package goes out-of-sync, it introduces a security hole for the other
packages who no longer have the permissions they expect.

The second item means that if your package requires a user, you can no
longer be sure of that user's home directory or its ownership and
permissions. If your package requires a directory to be owned and
writable by some user, then your package's ebuild should create that
directory and ensure that it is writable by the user. In other words,
you should not rely on the directory being created "transitively," as
one of your acct-user dependencies' home directories---because that
home directory can change.

These considerations motivate the following guidelines for GLEP81 home
directories, all of which can be summarized as,

 ** If the default (empty) value of ACCT_USER_HOME will work, use it. **

Specifically,

  1 Avoid using an ACCT_USER_HOME that belongs to another package.

  2 No two acct-user packages should define the same ACCT_USER_HOME.

  3 If your package's configuration needs <username> to be able to
    write to e.g. /var/lib/<username>, then your package's ebuild should
    create that directory and set its ownership and permissions. Barring
    any other considerations, the corresponding acct-user package should
    leave ACCT_USER_HOME at its default (empty) value; setting
    ACCT_USER_HOME=/var/lib/<username> would violate item (1).

  4 Each user's home directory should be writable by that user. If it
    is not, that indicates that a shared and potentially sensitive
    location was chosen; and the fact that the home directory is not
    writable suggests that the default (empty) ACCT_USER_HOME would
    suffice instead.

  5 As a corollary of the previous item, it is highly suspicious for
    an acct-user package to set ACCT_USER_HOME_OWNER="root:root".

  6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS.
    This would otherwise satisfy item (4), but should never be done for
    security reasons.

Replies

Subject Author
Re: [gentoo-dev] RFC: GLEP81 home directory guidelines "Haelwenn (lanodan) Monnier" <contact@×××××××××.me>
Re: [gentoo-dev] RFC: GLEP81 home directory guidelines Ulrich Mueller <ulm@g.o>