security/installation question regarding plan
the program plan uses another executable called netplan to act as an IP
network server to manage appointment files. Under the vanilla compilation
and installation, the following happens with netplan:
if run by root or setuid root, netplan switches to "nobody". The UID
and GID of <nobody> are compiled in, not determined at runtime. netplan
will refuse to run setgid-but-not-setuid root.
Also, netplan only reads and writes to
LIB/netplan.dir the directory that netplan puts files into, and the only
directory that netplan will read from (see Network
Security).
where LIB under the vanilla installation would be /usr/local/lib.
Under the mostly complete debian packaging of plan, I have installed
netplan as /usr/lib/plan/netplan and netplan.dir as
/usr/lib/plan/netplan.dir. Christoph Lameter began packaging plan which
has allowed me to use the following postinst as a template (note
/usr/sbin/netplan will be changed to /usr/lib/netplan):
--------------
#!/bin/sh -e
# Check if "netplan" user exists create if not
adduser --system --home /var/lib/netplan netplan || echo "netplan user \
already exists."
if [ ! -d /var/lib/netplan ]; then
install -m 700 -u netplan -d /var/lib/netplan
fi
suidregister -s plan /usr/sbin/netplan netplan root 4754
--------------
I am somewhat new to packaging, so I want to be sure I completely
understand what is going on here:
1) The system user netplan is created if it didn't already exist.
2) The system user netplan's home directory is created as /var/lib/netplan
if it didn't already exist.
3) suidregister registers netplan in /etc/suid.conf and changes the suid
to netplan from nobody
Questions:
1) What is /var/lib/netplan used for? It seems to me that the only
directory that is needed for netplan is /usr/lib/plan/netplan.dir.
2) Do I really need to change the suid of netplan from nobody to netplan?
3) By using suidregister, isn't this creating a dependency on
the suidmanager package?
Some of these questions may be stupid, but that's how I learn:). Any help
is gratefully appreciated. Cheers, Colin.
PS. This package will most likely not be uploaded until approx. June 17th
when I get a chance to get to the console of my debian machine so I can
try it under X.
--
Colin R. Telmer, Institute of Intergovernmental Relations
School of Policy Studies, Queen's University
Kingston, Ontario, Canada, K7L-3N6
(613)545-6000x4219 telmerco@qed.econ.queensu.ca
PGP Fingerprint = 09 E9 DA 66 9C EE 33 DC B8 3B 97 0E 01 BC EC 0B
PGP Public Key at <URL:http://terrapin.econ.queensu.ca>
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: