[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Creating a dynamic group `jazip' (or not)?

My jazip package is almost ready to be uploaded (jazip is an X tool to
easily mount and unmount Iomega Zip and/or Jaz drives). It is
suid-root and gives all users the ability to mount and umount zip and
jaz devices.  I'm contemplating creating a group jazip as a means to
let sysadmins control user access by changing permission and group
ownership of the jazip executable like so:

   $ ls -l /usr/bin/jazip 
   -rwsr-xr--   1 root     jazip      147340 May 18 15:04 /usr/bin/jazip

Then only members of group jazip can access the suid-root jazip binary.

Here's what policy says about this issue:

     The UID and GID ranges are as follows: 
          Dynamically allocated system users and groups. Packages which
          need a user or group, but can have this user or group allocated
          dynamically and differently on each system, should use ``adduser
          --system'' to create the group and/or user. `adduser' will check
          for the existence of the user or group, and if necessary choose
          an unused id based on the ranged specified in `adduser.conf'.
         you should consider (for example) creating a group for people
     allowed to use the program(s) and making any setuid executables
     executable only by that group.
     On the other hand, the program may able to determine the uid or gid
     from the group name at runtime, so that a dynamic id can be used. In
     this case you must choose an appropriate user or group name,
     discussing this on `debian-devel' and checking with the base system
     maintainer that it is unique and that they do not wish you to use a
     statically allocated id instead. When this has been checked you must
     arrange for your package to create the user or group if necessary
     using `adduser' in the pre- or post-installation script (again, the
     latter is to be preferred if it is possible).

Hence I bring this up on -devel

The only packaged file should would use the jazip ID is /usr/bin/jazip,
althought mount points could also use it.  Therefoere, I don't need a
`jazip' user at all, so instead of calling `adduser --system' I could
simply use addgroup (But perhaps creating a jazip user anyway would be
good prevention in case the package later needs one).

Here is my proposed postinst file (the commented-out lines would be
removed; they are there now to show the default configuration I could
also use which lets all users use jazip):

# postinst script for the jazip package

set -e

case "$1" in

        if ! grep -q \^jazip: /etc/group; then
            adduser --group jazip 
            echo "*** Important ***"
            echo "Users must be added to the 'jazip' group to allow access"
            echo "to the jazip program."

        if [ -x /usr/sbin/suidregister ]; then
#          suidregister -s jazip /usr/bin/jazip root root 4755
           suidregister -s jazip /usr/bin/jazip root jazip 4754
#           chown root.root /usr/bin/jazip
#           chmod 4755 /usr/bin/jazip
            chown root.jazip /usr/bin/jazip
            chmod 4754 /usr/bin/jazip

        if [ -x /usr/bin/update-menus ] ; then update-menus ; fi

        if [ -f /etc/jazip.conf ] ; then jazipconfig --non-interactive ; fi

        echo "postinst called with unknown argument \`$1'" >&2

exit 0                 

If there's no reasonable opposition to this, I'll implement it. 

The jazip group could also be used for mount point group ownership.
If /zip is owned by root.root and I don't have write permission
on /zip, after I mount a disk with jazip I still can't write to it:

 $ touch /zip/test
 touch: /zip/test: Permission denied

I thought of the following permission/ownership which admins could use:

drwxrwx--t   3 root     jazip        1024 May 21 10:58 /zip

Only jazip group members can read it, all jazip members can write to
it at any time, but can't overwrite other user's files.  This only
matters for ext2 formatted disks becuse jazip's mount changes
ownwership of the mount for vfat formatted disks: whoever uses jazip
to mount the disk owns the files.  No other user can write to the

As usual, thanks!
Peter Galbraith <GalbraithP@dfo-mpo.gc.ca>

Reply to: