Re: RFS: eviacam

[Cesar Mauri <cesar@crea-si.com>]

Hi Kilian,

> [...]
> > > or so and move the SUID bit setting including creating a
> > > group to postinst so that you limit the impact to an acceptable minimum.
> > > Having an open root access for everybody on a system is quite a bit
> > > too generous IMHO.
> >
> > I don't like also having a SUID binary but it is the only way I
> > found to raise the priority of the process. I've moved the "chmod"
> > to the postinst script but I couldn't create a group to setuid to
> > because the nice system call (see nice(2)) needs superuser
> > privileges.
>
> I seem to have not expressed my idea correctly:
> - Have your binary chmod 4750
> - with uid 0 (thus the setUID) and
> - group "whateveryournewgroupname"
>
> In debian/postinst that would look like:
> chmod 4750 $BINARY
> chown 0:$GID $BINARY
>
> where $GID is the group id of the group you create in postinst.
>
> That will make sure it gets the UID 0 correctly so that nice(2) will work ok
> and also will make sure that only users of the group are allowed to execute
> it.
>
> Does that make sense for you?

Got it! Before creating a new group, is there any previously existing 
group that would be suitable for such a job (i.e. that a common desktop 
user would be part of)?

I think that if we need to create a new group may be some non-expert 
users won't be able to run eviacam properly (i.e. they might fail to add 
their username to such group). Other options include:

i) ask the user whether to make eviacamloader SUID and explain that a 
new group is needed and such and such.
ii) completely get rid of the SUID thing at the expense of less 
responsiveness.

What do you think? Thanks.

Regards,

César