| 1 |
On Sun, 9 Feb 2014 15:47:59 +0100 |
| 2 |
Sven Vermeulen <sven.vermeulen@××××××.be> wrote: |
| 3 |
|
| 4 |
> After all, it might be as simple as: |
| 5 |
> |
| 6 |
> #v+ |
| 7 |
> use hardened && egroupadd sysfs <username> |
| 8 |
> #v- |
| 9 |
> |
| 10 |
> if egroupadd would exist, that is. I haven't looked in detail at the |
| 11 |
> user.eclass, but that would be all that is needed. |
| 12 |
|
| 13 |
There's no egroupadd, but it's possible to specify additional groups in |
| 14 |
a enewuser call. The eclass-less approach would therefore be: |
| 15 |
|
| 16 |
pkg_setup() { |
| 17 |
local hardened_group="" |
| 18 |
if use hardened ; then |
| 19 |
enewgroup sysfs |
| 20 |
hardened_group=",sysfs" |
| 21 |
fi |
| 22 |
|
| 23 |
enewgroup pcscd |
| 24 |
enewuser pcscd -1 -1 /run/pcscd pcscd${hardened_group} |
| 25 |
} |
| 26 |
|
| 27 |
However, the eclass would have the advantages: |
| 28 |
* single point to rename group or use flag if neccessary |
| 29 |
* ability to notify the user about the whole thing and ask him to add |
| 30 |
proper mount options |
| 31 |
|
| 32 |
If the eclass approach is accepted, I'd propose to name the eclass |
| 33 |
"hardened-utils" - perhaps we need other small helper functions like |
| 34 |
this one in the future. |
| 35 |
|
| 36 |
|
| 37 |
> But again, I think this needs to stage a bit - document it on the |
| 38 |
> wiki, test it out. See if applications still work if they are member |
| 39 |
> of said group without that group being the primary group, etc. |
| 40 |
|
| 41 |
I'll do that. |
| 42 |
|
| 43 |
|
| 44 |
Regards, |
| 45 |
Luis Ressel |
Archives