Hi César, On Wed, Aug 03, 2011 at 10:26:46PM +0200, Cesar Mauri wrote: > Hi Kilian, > > >>>[...] > >>>- Have your binary chmod 4750 > >>>- with uid 0 (thus the setUID) and > >>>- group "whateveryournewgroupname" > >>> > >>>In debian/postinst that would look like: > >>>chmod 4750 $BINARY > >>>chown 0:$GID $BINARY > >>> > >>>where $GID is the group id of the group you create in postinst. > >>> > >>>That will make sure it gets the UID 0 correctly so that nice(2) will work ok > >>>and also will make sure that only users of the group are allowed to execute > >>>it. > >>>[...] > > >>I think that if we need to create a new group may be some non-expert > >>users won't be able to run eviacam properly (i.e. they might fail to add > >>their username to such group). Other options include: > >> > >>i) ask the user whether to make eviacamloader SUID and explain that a > >>new group is needed and such and such. > > > >Can be done with debconf quite easily as: > >a) Ask whether SUID should be activated > > Done. Package uploaded. Good! The file debian/po/templates.pot has a lot of template headers still though. Please fill in all fields that are still holding bogus data. Regarding the activation I'd still vote for a group to be created and the chmod to be 4750 if SUID and 0755 if not SUID. You may want to use dpkg-statoverride for this to set both user:group and chmod permissions in one line. If you need a good template I'd need to dig among the last packages I have reviewed. There was a really good postinst doing exactly this. Your text then should also include the name of the group (probably eviacam) and that the sysadmin should add users if they're supposed to use the program. > >b) which users should be added to the group interactively > > I would need some help here. Can you point a good document (or > better, an example) on how to interactively add users to a group > using debconf? I was thinking of the libc version asking for which processes need to be restarted. Not sure though if that's useful considering that e.g. sudo leaves this to the sysadmin too. I guess we can live with just the SUID-yes and SUID-no question in debconf. > >Please set sensible defaults so that you can also work with > >DEBCONF_FRONTEND=noninteractive > > The default option is to *NOT* use SUID. Very good. ;-) > >>ii) completely get rid of the SUID thing at the expense of less > >>responsiveness. > > > >If that's possible and doesn't limit core functionality it sounds like a > >valid option. What downsides would that bring? > > The core functionality is exactly the same. The only downside is > that eviacam won't work as smooth as if it were running in high > priority (i.e. the user might notice that the mouse pointer is less > responsive when CPU load is high). > > >I think debconf as explained above together with properly adding a new > >group and importing users through debconf would be a good thing. > > Agreed. But some help needed :-). Thanks. Hth. ;-) -- Best regards, Kilian
Attachment:
signature.asc
Description: Digital signature