Gentoo Archives: gentoo-dev

From: Michael Orlitzky <mjo@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] RFC: GLEP81 home directory guidelines
Date: Fri, 16 Aug 2019 22:40:53
1 Pending, I'd like
2 to get something like this written down.
4 Please give it a quick read and see if it makes sense, or if I've
5 overlooked anything. Most of these would just be suggestions, to be
6 implemented as post-install QA checks or repoman warnings.
9 == Choosing a home directory ==
11 GLEP81 changed two aspects of user management:
13 1 Creating a user can now modify the permissions on an existing
14 directory. Should the need arise, this is necessary for a new
15 version of an acct-user package to be able to fix the ownership
16 and permissions of its home directory
18 2 All user data aside from the username became non-local to ebuilds
19 that depend on that user. This is merely a side-effect of moving
20 the user creation out of the client package, and into a separate
21 acct-user package.
23 The first item means that you should be conservative when choosing a
24 home directory. If at all possible, avoid choosing a home directory
25 that is used by another package. In particular, no two acct-user
26 packages should use the same home directory. At best, the ownership
27 and permissions on a shared home directory would need to be kept
28 synchronized between all packages that share it. At worst, if one
29 package goes out-of-sync, it introduces a security hole for the other
30 packages who no longer have the permissions they expect.
32 The second item means that if your package requires a user, you can no
33 longer be sure of that user's home directory or its ownership and
34 permissions. If your package requires a directory to be owned and
35 writable by some user, then your package's ebuild should create that
36 directory and ensure that it is writable by the user. In other words,
37 you should not rely on the directory being created "transitively," as
38 one of your acct-user dependencies' home directories---because that
39 home directory can change.
41 These considerations motivate the following guidelines for GLEP81 home
42 directories, all of which can be summarized as,
44 ** If the default (empty) value of ACCT_USER_HOME will work, use it. **
46 Specifically,
48 1 Avoid using an ACCT_USER_HOME that belongs to another package.
50 2 No two acct-user packages should define the same ACCT_USER_HOME.
52 3 If your package's configuration needs <username> to be able to
53 write to e.g. /var/lib/<username>, then your package's ebuild should
54 create that directory and set its ownership and permissions. Barring
55 any other considerations, the corresponding acct-user package should
56 leave ACCT_USER_HOME at its default (empty) value; setting
57 ACCT_USER_HOME=/var/lib/<username> would violate item (1).
59 4 Each user's home directory should be writable by that user. If it
60 is not, that indicates that a shared and potentially sensitive
61 location was chosen; and the fact that the home directory is not
62 writable suggests that the default (empty) ACCT_USER_HOME would
63 suffice instead.
65 5 As a corollary of the previous item, it is highly suspicious for
66 an acct-user package to set ACCT_USER_HOME_OWNER="root:root".
68 6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS.
69 This would otherwise satisfy item (4), but should never be done for
70 security reasons.


Subject Author
Re: [gentoo-dev] RFC: GLEP81 home directory guidelines "Haelwenn (lanodan) Monnier" <contact@×××××××××.me>
Re: [gentoo-dev] RFC: GLEP81 home directory guidelines Ulrich Mueller <ulm@g.o>