[aur-general] any rules for groupadd in .install files?

jwbirdsong jwbirdsong at jwbirdsong.homelinux.com
Fri Jul 16 09:51:01 EDT 2010


On 07/16/2010 07:37 AM, Christian Himpel wrote:
> hi,
> 
> it happens that i'm the current maintainer of the go-hg[1] package in aur.
> 
> currently the package installs in /opt/go. go has nice support for
> installing third-party packages (goinstall), but it's a security risk
> for people to goinstall these third-party libraries as root.
> installing the gofiles with group 'go' and setting sgid bit for all
> (or only affected) directories this security flaw could be avoided (or
> at least reduced).
> 
> so my question is: are there any rules or policies for packages, that
> call groupadd in the .install files?
> 
> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
> somewhere a list with `available' gids?
> 
> do you have any other/better idea how to face the problem?
> 
> thank you very much in advance!
> 
> cheers,
> chressie
> 
> [1]: http://aur.archlinux.org/packages.php?ID=33695
> 
There is a list of current gid kep on the wiki
http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
Also search the arch-gen and arch-dev-public ML. There was some
discussion on one of them maybe 2-3 month ago


More information about the aur-general mailing list