[aur-general] any rules for groupadd in .install files?
jwbirdsong
jwbirdsong at jwbirdsong.homelinux.com
Fri Jul 16 09:51:01 EDT 2010
On 07/16/2010 07:37 AM, Christian Himpel wrote:
> hi,
>
> it happens that i'm the current maintainer of the go-hg[1] package in aur.
>
> currently the package installs in /opt/go. go has nice support for
> installing third-party packages (goinstall), but it's a security risk
> for people to goinstall these third-party libraries as root.
> installing the gofiles with group 'go' and setting sgid bit for all
> (or only affected) directories this security flaw could be avoided (or
> at least reduced).
>
> so my question is: are there any rules or policies for packages, that
> call groupadd in the .install files?
>
> i saw that extra/qemu-kvm adds the group kvm with gid 78, so is there
> somewhere a list with `available' gids?
>
> do you have any other/better idea how to face the problem?
>
> thank you very much in advance!
>
> cheers,
> chressie
>
> [1]: http://aur.archlinux.org/packages.php?ID=33695
>
There is a list of current gid kep on the wiki
http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
Also search the arch-gen and arch-dev-public ML. There was some
discussion on one of them maybe 2-3 month ago
More information about the aur-general
mailing list