[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: daemon user naming scheme

On 05/09/14 16:03, Ian Jackson wrote:
> Simon McVittie writes ("Re: daemon user naming scheme"):
>> It is reasonable to use /var/lib/foo (or /run/foo or /var/cache/foo or
>> /var/games/foo) as the home directory of a system user whose name is
>> _foo, debian-foo, Debian-foo or whatever.
> 
> You need to be careful that the directory chosen never has undesirable
> permissions, since there are many ways that access can be granted to a
> user foo by putting things in ~foo.

Yes, a good point which I should have mentioned. Please read as "it is
reasonable to use ... as long as that directory's permissions only allow
that user to write there".

> For example, /var/games/foo seems like a bad idea since it will
> probably be g+w games.

Hmm, not on my system - /var/games is 0755 root:root, and the
openarena-server and quake{,2,3}-server subdirectories created by my
Quake-based game packages are 0755 some-daemon-user:games.

I agree that if the foo subdirectory in games was used for a system-wide
shared high-score table or something (g+w games, with the game setgid
games so it can write there), then that would make it unsuitable. On the
other hand, using setgid for shared high-score tables on a multi-user
system has always seemed to me like using a sledgehammer (or possibly a
railgun) to crack a nut :-)

    S
Reply to: