Creating a dynamic group `jazip' (or not)?
My jazip package is almost ready to be uploaded (jazip is an X tool to
easily mount and unmount Iomega Zip and/or Jaz drives). It is
suid-root and gives all users the ability to mount and umount zip and
jaz devices. I'm contemplating creating a group jazip as a means to
let sysadmins control user access by changing permission and group
ownership of the jazip executable like so:
$ ls -l /usr/bin/jazip
-rwsr-xr-- 1 root jazip 147340 May 18 15:04 /usr/bin/jazip
Then only members of group jazip can access the suid-root jazip binary.
Here's what policy says about this issue:
---------------
[...]
The UID and GID ranges are as follows:
100-999:
Dynamically allocated system users and groups. Packages which
need a user or group, but can have this user or group allocated
dynamically and differently on each system, should use ``adduser
--system'' to create the group and/or user. `adduser' will check
for the existence of the user or group, and if necessary choose
an unused id based on the ranged specified in `adduser.conf'.
[...]
you should consider (for example) creating a group for people
allowed to use the program(s) and making any setuid executables
executable only by that group.
[...]
On the other hand, the program may able to determine the uid or gid
from the group name at runtime, so that a dynamic id can be used. In
this case you must choose an appropriate user or group name,
discussing this on `debian-devel' and checking with the base system
maintainer that it is unique and that they do not wish you to use a
statically allocated id instead. When this has been checked you must
arrange for your package to create the user or group if necessary
using `adduser' in the pre- or post-installation script (again, the
latter is to be preferred if it is possible).
---------------
Hence I bring this up on -devel
The only packaged file should would use the jazip ID is /usr/bin/jazip,
althought mount points could also use it. Therefoere, I don't need a
`jazip' user at all, so instead of calling `adduser --system' I could
simply use addgroup (But perhaps creating a jazip user anyway would be
good prevention in case the package later needs one).
Here is my proposed postinst file (the commented-out lines would be
removed; they are there now to show the default configuration I could
also use which lets all users use jazip):
-----------------------
#!/bin/sh
#
# postinst script for the jazip package
set -e
case "$1" in
configure)
if ! grep -q \^jazip: /etc/group; then
adduser --group jazip
echo "*** Important ***"
echo "Users must be added to the 'jazip' group to allow access"
echo "to the jazip program."
fi
if [ -x /usr/sbin/suidregister ]; then
# suidregister -s jazip /usr/bin/jazip root root 4755
suidregister -s jazip /usr/bin/jazip root jazip 4754
else
# chown root.root /usr/bin/jazip
# chmod 4755 /usr/bin/jazip
chown root.jazip /usr/bin/jazip
chmod 4754 /usr/bin/jazip
fi
if [ -x /usr/bin/update-menus ] ; then update-menus ; fi
if [ -f /etc/jazip.conf ] ; then jazipconfig --non-interactive ; fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
;;
esac
exit 0
-----------------------
If there's no reasonable opposition to this, I'll implement it.
The jazip group could also be used for mount point group ownership.
If /zip is owned by root.root and I don't have write permission
on /zip, after I mount a disk with jazip I still can't write to it:
$ touch /zip/test
touch: /zip/test: Permission denied
I thought of the following permission/ownership which admins could use:
drwxrwx--t 3 root jazip 1024 May 21 10:58 /zip
Only jazip group members can read it, all jazip members can write to
it at any time, but can't overwrite other user's files. This only
matters for ext2 formatted disks becuse jazip's mount changes
ownwership of the mount for vfat formatted disks: whoever uses jazip
to mount the disk owns the files. No other user can write to the
disk.
As usual, thanks!
--
Peter Galbraith <GalbraithP@dfo-mpo.gc.ca>
Reply to: