| 1 |
Pending https://github.com/gentoo/devmanual.gentoo.org/pull/99, I'd like |
| 2 |
to get something like this written down. |
| 3 |
|
| 4 |
Please give it a quick read and see if it makes sense, or if I've |
| 5 |
overlooked anything. Most of these would just be suggestions, to be |
| 6 |
implemented as post-install QA checks or repoman warnings. |
| 7 |
|
| 8 |
|
| 9 |
== Choosing a home directory == |
| 10 |
|
| 11 |
GLEP81 changed two aspects of user management: |
| 12 |
|
| 13 |
1 Creating a user can now modify the permissions on an existing |
| 14 |
directory. Should the need arise, this is necessary for a new |
| 15 |
version of an acct-user package to be able to fix the ownership |
| 16 |
and permissions of its home directory |
| 17 |
|
| 18 |
2 All user data aside from the username became non-local to ebuilds |
| 19 |
that depend on that user. This is merely a side-effect of moving |
| 20 |
the user creation out of the client package, and into a separate |
| 21 |
acct-user package. |
| 22 |
|
| 23 |
The first item means that you should be conservative when choosing a |
| 24 |
home directory. If at all possible, avoid choosing a home directory |
| 25 |
that is used by another package. In particular, no two acct-user |
| 26 |
packages should use the same home directory. At best, the ownership |
| 27 |
and permissions on a shared home directory would need to be kept |
| 28 |
synchronized between all packages that share it. At worst, if one |
| 29 |
package goes out-of-sync, it introduces a security hole for the other |
| 30 |
packages who no longer have the permissions they expect. |
| 31 |
|
| 32 |
The second item means that if your package requires a user, you can no |
| 33 |
longer be sure of that user's home directory or its ownership and |
| 34 |
permissions. If your package requires a directory to be owned and |
| 35 |
writable by some user, then your package's ebuild should create that |
| 36 |
directory and ensure that it is writable by the user. In other words, |
| 37 |
you should not rely on the directory being created "transitively," as |
| 38 |
one of your acct-user dependencies' home directories---because that |
| 39 |
home directory can change. |
| 40 |
|
| 41 |
These considerations motivate the following guidelines for GLEP81 home |
| 42 |
directories, all of which can be summarized as, |
| 43 |
|
| 44 |
** If the default (empty) value of ACCT_USER_HOME will work, use it. ** |
| 45 |
|
| 46 |
Specifically, |
| 47 |
|
| 48 |
1 Avoid using an ACCT_USER_HOME that belongs to another package. |
| 49 |
|
| 50 |
2 No two acct-user packages should define the same ACCT_USER_HOME. |
| 51 |
|
| 52 |
3 If your package's configuration needs <username> to be able to |
| 53 |
write to e.g. /var/lib/<username>, then your package's ebuild should |
| 54 |
create that directory and set its ownership and permissions. Barring |
| 55 |
any other considerations, the corresponding acct-user package should |
| 56 |
leave ACCT_USER_HOME at its default (empty) value; setting |
| 57 |
ACCT_USER_HOME=/var/lib/<username> would violate item (1). |
| 58 |
|
| 59 |
4 Each user's home directory should be writable by that user. If it |
| 60 |
is not, that indicates that a shared and potentially sensitive |
| 61 |
location was chosen; and the fact that the home directory is not |
| 62 |
writable suggests that the default (empty) ACCT_USER_HOME would |
| 63 |
suffice instead. |
| 64 |
|
| 65 |
5 As a corollary of the previous item, it is highly suspicious for |
| 66 |
an acct-user package to set ACCT_USER_HOME_OWNER="root:root". |
| 67 |
|
| 68 |
6 The world-writable bit should never be set in ACCT_USER_HOME_PERMS. |
| 69 |
This would otherwise satisfy item (4), but should never be done for |
| 70 |
security reasons. |
Archives