1 |
Pending https://github.com/gentoo/devmanual.gentoo.org/pull/99, I'd like |
2 |
to get something like this written down. |
3 |
|
4 |
Please give it a quick read and see if it makes sense, or if I've |
5 |
overlooked anything. Most of these would just be suggestions, to be |
6 |
implemented as post-install QA checks or repoman warnings. |
7 |
|
8 |
|
9 |
== Choosing a home directory == |
10 |
|
11 |
GLEP81 changed two aspects of user management: |
12 |
|
13 |
1 Creating a user can now modify the permissions on an existing |
14 |
directory. Should the need arise, this is necessary for a new |
15 |
version of an acct-user package to be able to fix the ownership |
16 |
and permissions of its home directory |
17 |
|
18 |
2 All user data aside from the username became non-local to ebuilds |
19 |
that depend on that user. This is merely a side-effect of moving |
20 |
the user creation out of the client package, and into a separate |
21 |
acct-user package. |
22 |
|
23 |
The first item means that you should be conservative when choosing a |
24 |
home directory. If at all possible, avoid choosing a home directory |
25 |
that is used by another package. In particular, no two acct-user |
26 |
packages should use the same home directory. At best, the ownership |
27 |
and permissions on a shared home directory would need to be kept |
28 |
synchronized between all packages that share it. At worst, if one |
29 |
package goes out-of-sync, it introduces a security hole for the other |
30 |
packages who no longer have the permissions they expect. |
31 |
|
32 |
The second item means that if your package requires a user, you can no |
33 |
longer be sure of that user's home directory or its ownership and |
34 |
permissions. If your package requires a directory to be owned and |
35 |
writable by some user, then your package's ebuild should create that |
36 |
directory and ensure that it is writable by the user. In other words, |
37 |
you should not rely on the directory being created "transitively," as |
38 |
one of your acct-user dependencies' home directories---because that |
39 |
home directory can change. |
40 |
|
41 |
These considerations motivate the following guidelines for GLEP81 home |
42 |
directories, all of which can be summarized as, |
43 |
|
44 |
** If the default (empty) value of ACCT_USER_HOME will work, use it. ** |
45 |
|
46 |
Specifically, |
47 |
|
48 |
1 Avoid using an ACCT_USER_HOME that belongs to another package. |
49 |
|
50 |
2 No two acct-user packages should define the same ACCT_USER_HOME. |
51 |
|
52 |
3 If your package's configuration needs <username> to be able to |
53 |
write to e.g. /var/lib/<username>, then your package's ebuild should |
54 |
create that directory and set its ownership and permissions. Barring |
55 |
any other considerations, the corresponding acct-user package should |
56 |
leave ACCT_USER_HOME at its default (empty) value; setting |
57 |
ACCT_USER_HOME=/var/lib/<username> would violate item (1). |
58 |
|
59 |
4 Each user's home directory should be writable by that user. If it |
60 |
is not, that indicates that a shared and potentially sensitive |
61 |
location was chosen; and the fact that the home directory is not |
62 |
writable suggests that the default (empty) ACCT_USER_HOME would |
63 |
suffice instead. |
64 |
|
65 |
5 As a corollary of the previous item, it is highly suspicious for |
66 |
an acct-user package to set ACCT_USER_HOME_OWNER="root:root". |
67 |
|
68 |
6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS. |
69 |
This would otherwise satisfy item (4), but should never be done for |
70 |
security reasons. |