On Sat, 5 Jun 2004 22:21:23 +0100, Nick Leverton wrote: > On Sat, Jun 05, 2004 at 08:24:47PM +0200, Eduard Bloch wrote: > > Goswin von Brederlow schrieb am Samstag, den 05. Juni 2004: > > > > > > > So, my question is...is there, or should there be, some virtual > > > > > package or system-wide or user-wide preference for gaining root > > > > > priviliges under X11? What's the best current way to get this > > > > > into the menu system with the least amount of pain for both > > > > > the packager and the user? > > > > There is already the script su-to-root in the current menu package which > > does almost what you want - looking around and choosing a su-like > > program. > > Can you depend on any of the alternatives, with suitable detection ? > That would be good for users in differing environments :) > > Nick I've been working on a similar problem for a package that I've just adopted. It is a game with a "high scores" file that it wants to write to, and Debian Policy (secion 10.9) allows for the file to have an owner of root.games, with the game itself runing setgid to games. Linda even complains if the game is *not* setgid. The problem is, the game is written in Java, so the entry in usr/games is a driver script, and scripts ignore the setuid and setgid modes for security reasons. I didn't get the list of alternatives that you've gotten here, and sudo does not appear to have a mechanism for "keep the current uid, but run under a different gid". I've tried to write a generic "setgid_wrapper" (actually, a setid_wrapper, because I may as well set both the uid and the gid), but there are concerns about YAFuid changing application; and this one isn't written by a professional paranoid like sudo. My question for this thread is, "should I continue to pursue an independent setid_wrapper, which would solve this requirement as well as mine, or should I work with the sudo upstream to get a setgid option added?" Put another way, given that my needs are not met by any of the alternatives presented in this thread, what is the best way (for *all* of Debian) to address them? -- James Damour (Suvarov454) <suvarov454@users.sourceforge.net>
Attachment:
signature.asc
Description: This is a digitally signed message part