[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

setgid-wrapper (was: Re: ITA: filler - Simple game in Java)

James Damour wrote[Tue, May 11, 2004 at 08:25:52AM -0400]:

I would appreciate it if a sponsor could review my packaging, and let me
know what I should change in order to get it ready for upload to the
Debian archive.  I've fixed all lintian or linda errors, and the
remaining linda warning may be a bug (as a game, filler needs to be
rwxr-sr-x and linda is expecting rwxr-xr-x).
Grzegorz B. Prokopski wrote:
As for SGID - if this is java game, so you most probably have a shell
wrapper.  S[UG]ID bits do NOT work on shell scripts.  You can have the
bits set but they will be ignored.  So I suspect linda may check that
your wrapper is a shell script and then - sgid bit makes no effect

What you probably could do is write a small C wrapper, but then your
package would have to be autobuild on all architectures, which will
not happen for a package in contrib... So getting back to the sources
of SGID - the bit is there so that games played independently by difrent
users could store the "best score" values in a shared place.  If you
don't set the bit you can not use this functionality. Well, not a
terribly big loss probably.

I was thinking about this.  I've faced the same problem with setuid
and setgid bits not working on shell scripts.

I was thinking it might make sense to create a program (and package) named
setgid-wrapper?   Using filler as an example, the basic idea is this:

You'd have a directory, /etc/setgid-wrapper.d , which contains a bunch of
config files.  The package "filler" would include a file named
/etc/setgid-wrapper.d/filler, which would be owned by root, only writeable
by root, and whose contents would be:
	/usr/games/filler games /usr/libexec/games/filler-bin

The package filler would also include a symbolic link (or would create it)
of the form:
	/usr/games/filler -> /usr/libexec/setgid-wrapper

The real executable for filler would be in /usr/libexec/games/filler-bin.
The program /usr/libexec/setgid-wrapper would notice what name it had been
invoked under (/usr/games/filler), look inside the file /etc/setgid-wrapper-d/filler
to check what real program to execute and what group to execute it as,
then setregid() to (user's real group, games-group), setreuid() to the user's
real id, and execute the real executable.

An alternative approach (if you think that programs shouldn't behave
differently depending upon how they're named -- the GNU coding standards
say they shouldn't) would be for /usr/games/filler to be:
	#! /bin/sh
	exec setgid-wrapper filler /usr/libexec/games/filler-bin "$@"

Under this alternative scheme (requires that you start an extra subshell, but
that's no big deal, given how long the game will take to play), setgid-wrapper
would live in /usr/bin instead.  I actually like the alternative scheme better;
it is just marginally slower to start up.

--Steve Augart

Steven Augart

Jikes RVM, a free, open source, Virtual Machine:

Reply to: