1 |
On Sun, 9 Feb 2014 15:47:59 +0100 |
2 |
Sven Vermeulen <sven.vermeulen@××××××.be> wrote: |
3 |
|
4 |
> After all, it might be as simple as: |
5 |
> |
6 |
> #v+ |
7 |
> use hardened && egroupadd sysfs <username> |
8 |
> #v- |
9 |
> |
10 |
> if egroupadd would exist, that is. I haven't looked in detail at the |
11 |
> user.eclass, but that would be all that is needed. |
12 |
|
13 |
There's no egroupadd, but it's possible to specify additional groups in |
14 |
a enewuser call. The eclass-less approach would therefore be: |
15 |
|
16 |
pkg_setup() { |
17 |
local hardened_group="" |
18 |
if use hardened ; then |
19 |
enewgroup sysfs |
20 |
hardened_group=",sysfs" |
21 |
fi |
22 |
|
23 |
enewgroup pcscd |
24 |
enewuser pcscd -1 -1 /run/pcscd pcscd${hardened_group} |
25 |
} |
26 |
|
27 |
However, the eclass would have the advantages: |
28 |
* single point to rename group or use flag if neccessary |
29 |
* ability to notify the user about the whole thing and ask him to add |
30 |
proper mount options |
31 |
|
32 |
If the eclass approach is accepted, I'd propose to name the eclass |
33 |
"hardened-utils" - perhaps we need other small helper functions like |
34 |
this one in the future. |
35 |
|
36 |
|
37 |
> But again, I think this needs to stage a bit - document it on the |
38 |
> wiki, test it out. See if applications still work if they are member |
39 |
> of said group without that group being the primary group, etc. |
40 |
|
41 |
I'll do that. |
42 |
|
43 |
|
44 |
Regards, |
45 |
Luis Ressel |