[aur-general] Software packaging - Security question

Felix Yan felixonmars at gmail.com
Thu Jan 10 05:43:20 EST 2013 

On Thursday, January 10, 2013 11:36:25 AM Nuno Araujo wrote:
> Hi
> 
> I am trying to create a package for the subvein[1] game.
> 
> Installation instructions[2] of the game tell to simply uncompress the
> tar.gz archive in a folder and run the "Subvein" program.
> 
> No problem with that. But then when running the game, it tries to store
> information in it's "data" folder (logs, configuration, user
> profiles...). We have a permission problem.
> 
> To workaround this problem, I:
> - Create a group named "subvein";
> - set the setgid bit for the game "data" folder and all it's sub-folders;
> - set the game "data" folder and all it's content group writable;
> - set the group of the game "data" folder to the "subvein" group.
> - Created a wrapper bash script that changes the umask to 002 and 
then
> launches the game.
> 
> This way, all the contents created by the game will belong to the
> "subvein" group and will be group writable, so that anyone can use the 
game.
> 
> Is this a valid way of doing it? Are there any security concerns I need
> to take into account?
In a multi-user environment this would fail, so the game save _should_ be 
kept under $HOME. Don't know if there's a good way to do it, though, 
maybe someone else could help with this.

> 
> The game has also a "server" part. I still didn't started to handle this
> in the package, but was thinking to do the following:
> 
> - Create a user names subvein that belongs only to the subvein group.
> - Create a systemd .service file that runs the server program as the
> subvein user.
> 
> Does this seems OK as approach?
I think this part is OK and nice :)

> 
> 
> Thank you for your help.
> 
> P.S. You can find my "draft" of the PKGBUILD, the install script and the
> bash wrapper attached.
> 
> 
> [1] http://subvein.net/
> [2] http://subvein.net/download.php

-- 
Felix Yan
Twitter: @felixonmars
Wiki: http://felixc.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20130110/09afaf73/attachment.asc>

More information about the aur-general mailing list