[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#920692: [PATCH] Packages must not install files or directories into /var/cache

Josh Triplett <josh@joshtriplett.org> writes:
> On Wed, Feb 27, 2019 at 08:13:52AM +0100, Ansgar wrote:
>> Josh Triplett writes:

>>> diff --git a/policy/ch-files.rst b/policy/ch-files.rst
>>> index 48410be..1cdcb18 100644
>>> --- a/policy/ch-files.rst
>>> +++ b/policy/ch-files.rst
>>> @@ -722,6 +722,15 @@ The name of the files and directories installed by binary packages
>>>  outside the system PATH must be encoded in UTF-8 and should be
>>>  restricted to ASCII when it is possible to do so.
>>>
>>> +.. _s-cache:
>>> +
>>> +Cache
>>> +-----
>>> +
>>> +Packages must not install files or directories into ``/var/cache``. The
>>> +system administrator may delete any or all files from this directory at
>>> +any time, or may choose to put it on an ephemeral filesystem.

This looks fine to me except we really should say something about
directories, as mentioned in the subsequent discussion.

> I don't think we should require any *specific* solution to be used, but
> if you'd like, I could certainly say something like "if the package
> expects to have a specific directory writable by non-root, it will need
> to arrange to create that directory as root before running; the package
> should not fail to run if that directory does not exist".

"Before running" is something it could only satisfy by installing the
directory.  I think what you want is something more like:

    If any program in the package expects a specific file or directory in
    ``/var/cache`` to exist or be writable by a non-root user, it must
    arrange to do this when executed.

The problem with this is that as written it would rule out using tmpfiles
or an init script or systemd unit to do this.  Using tmpfiles implies that
it's okay to create the things you need at system boot, which in turn
implies that it's *not* okay for the sysadmin to delete files and
directories at any time and expect everything to keep working, since they
may not work until the system is rebooted.  Similarly, there's a problem
with running daemons that have already created their files.  I don't think
we expect those daemons to handle the system administrator deleting their
cache files at any arbitrary time, such as while they're updating or
reading from them.

I think before we add this wording to Policy we need to be a bit clearer
about exactly what we expect packages to do.  I'm pretty sure we don't
want them to have setuid helper programs to create missing directories at
runtime.  :)

Maybe what we want to say is something like:

    If any program in the package expects a specific file or directory in
    ``/var/cache`` to exist or be writable by a non-root user, it must
    arrange to do at system boot or when executed.

and then modify your statement to say:

    The system administrator may delete any or all files from this
    directory at any time, or may choose to put it on an ephemeral
    filesystem, although after such deletion programs may stop working
    until the next system reboot.

I'm still not very happy with this language.  Any other suggestions
welcome.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: