[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

security/installation question regarding plan

the program plan uses another executable called netplan to act as an IP
network server to manage appointment files. Under the vanilla compilation
and installation, the following happens with netplan:

   if run by root or setuid root, netplan switches to "nobody". The UID
   and GID of <nobody> are compiled in, not determined at runtime. netplan
   will refuse to run setgid-but-not-setuid root.

Also, netplan only reads and writes to 

LIB/netplan.dir the directory that netplan puts files into, and the only
                directory that netplan will read from (see Network

where LIB under the vanilla installation would be /usr/local/lib.

Under the mostly complete debian packaging of plan, I have installed
netplan as /usr/lib/plan/netplan and netplan.dir as
/usr/lib/plan/netplan.dir. Christoph Lameter began packaging plan which
has allowed me to use the following postinst as a template (note
/usr/sbin/netplan will be changed to /usr/lib/netplan): 
#!/bin/sh -e

# Check if "netplan" user exists create if not
adduser --system --home /var/lib/netplan netplan || echo "netplan user \
already exists."

if [ ! -d /var/lib/netplan ]; then
        install -m 700 -u netplan -d /var/lib/netplan

suidregister -s plan /usr/sbin/netplan netplan root 4754 
I am somewhat new to packaging, so I want to be sure I completely
understand what is going on here:
1) The system user netplan is created if it didn't already exist.
2) The system user netplan's home directory is created as /var/lib/netplan
   if it didn't already exist.
3) suidregister registers netplan in /etc/suid.conf and changes the suid
to netplan from nobody

1) What is /var/lib/netplan used for? It seems to me that the only
   directory that is needed for netplan is /usr/lib/plan/netplan.dir.
2) Do I really need to change the suid of netplan from nobody to netplan? 
3) By using suidregister, isn't this creating a dependency on
   the suidmanager package?

Some of these questions may be stupid, but that's how I learn:). Any help
is gratefully appreciated. Cheers, Colin.

PS. This package will most likely not be uploaded until approx. June 17th
when I get a chance to get to the console of my debian machine so I can
try it under X.

	  Colin R. Telmer, Institute of Intergovernmental Relations
		School of Policy Studies, Queen's University
		     Kingston, Ontario, Canada, K7L-3N6
	      (613)545-6000x4219   telmerco@qed.econ.queensu.ca
     PGP Fingerprint = 09 E9 DA 66 9C EE 33 DC  B8 3B 97 0E 01 BC EC 0B
	   PGP Public Key at <URL:http://terrapin.econ.queensu.ca>

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: