setgid-wrapper (was: Re: ITA: filler - Simple game in Java)
James Damour wrote[Tue, May 11, 2004 at 08:25:52AM -0400]:
I would appreciate it if a sponsor could review my packaging, and let me
know what I should change in order to get it ready for upload to the
Debian archive. I've fixed all lintian or linda errors, and the
remaining linda warning may be a bug (as a game, filler needs to be
rwxr-sr-x and linda is expecting rwxr-xr-x).
Grzegorz B. Prokopski wrote:
As for SGID - if this is java game, so you most probably have a shell
wrapper. S[UG]ID bits do NOT work on shell scripts. You can have the
bits set but they will be ignored. So I suspect linda may check that
your wrapper is a shell script and then - sgid bit makes no effect
What you probably could do is write a small C wrapper, but then your
package would have to be autobuild on all architectures, which will
not happen for a package in contrib... So getting back to the sources
of SGID - the bit is there so that games played independently by difrent
users could store the "best score" values in a shared place. If you
don't set the bit you can not use this functionality. Well, not a
terribly big loss probably.
I was thinking about this. I've faced the same problem with setuid
and setgid bits not working on shell scripts.
I was thinking it might make sense to create a program (and package) named
setgid-wrapper? Using filler as an example, the basic idea is this:
You'd have a directory, /etc/setgid-wrapper.d , which contains a bunch of
config files. The package "filler" would include a file named
/etc/setgid-wrapper.d/filler, which would be owned by root, only writeable
by root, and whose contents would be:
/usr/games/filler games /usr/libexec/games/filler-bin
The package filler would also include a symbolic link (or would create it)
of the form:
/usr/games/filler -> /usr/libexec/setgid-wrapper
The real executable for filler would be in /usr/libexec/games/filler-bin.
The program /usr/libexec/setgid-wrapper would notice what name it had been
invoked under (/usr/games/filler), look inside the file /etc/setgid-wrapper-d/filler
to check what real program to execute and what group to execute it as,
then setregid() to (user's real group, games-group), setreuid() to the user's
real id, and execute the real executable.
An alternative approach (if you think that programs shouldn't behave
differently depending upon how they're named -- the GNU coding standards
say they shouldn't) would be for /usr/games/filler to be:
exec setgid-wrapper filler /usr/libexec/games/filler-bin "$@"
Under this alternative scheme (requires that you start an extra subshell, but
that's no big deal, given how long the game will take to play), setgid-wrapper
would live in /usr/bin instead. I actually like the alternative scheme better;
it is just marginally slower to start up.
Jikes RVM, a free, open source, Virtual Machine: