[opensuse-packaging] New lightdm user and group
Hello, I'd like to ask for a new user and group lightdm to be registered for the LightDM display manager which I intend to submit to Factory. This is necessary to safely run greeters, the following non-standard directory ownership and permissions are needed: /var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750 The package is X11:xfce/lightdm. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Comments inside On Tue, 26 Jul 2011 00:49, Guido Berhoerster <gber@...> wrote:
Hello,
I'd like to ask for a new user and group lightdm to be registered for the LightDM display manager which I intend to submit to Factory. This is necessary to safely run greeters, the following non-standard directory ownership and permissions are needed:
/var/run/lightdm lightdm:lightdm 751
Please be aware that the /var/run directory maybe / will be a tmpfs. So lightdm would have to create this dir itself /either inside the program or in the startscript, be aware of systemd), or at least check its existence before using it.
/var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
-- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
* Yamaban <foerster@lisas.de> [2011-07-26 11:24]:
Comments inside
On Tue, 26 Jul 2011 00:49, Guido Berhoerster <gber@...> wrote:
Hello,
I'd like to ask for a new user and group lightdm to be registered for the LightDM display manager which I intend to submit to Factory. This is necessary to safely run greeters, the following non-standard directory ownership and permissions are needed:
/var/run/lightdm lightdm:lightdm 751
Please be aware that the /var/run directory maybe / will be a tmpfs. So lightdm would have to create this dir itself /either inside the program or in the startscript, be aware of systemd), or at least check its existence before using it.
I am, it is ghosted and will be recreated with proper permissions by lightdm. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On 07/26/2011 12:49 AM, Guido Berhoerster wrote:
/var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
Security team: is this the correct setup we could use? (User and group are created in %pre scriptlet of the package). -- Best Regards / S pozdravom, Pavol RUSNAK SUSE LINUX, s.r.o openSUSE Boosters Team Lihovarska 1060/12 PGP 0xA6917144 19000 Praha 9 prusnak[at]opensuse.org Czech Republic -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Pavol Rusnak wrote:
On 07/26/2011 12:49 AM, Guido Berhoerster wrote:
/var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
Security team: is this the correct setup we could use? (User and group are created in %pre scriptlet of the package).
Almost. Log directories shouldn't be writable by the daemon user¹. cu Ludwig [1] http://article.gmane.org/gmane.comp.security.oss.general/4404 -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2011-07-29 14:55]:
Pavol Rusnak wrote:
On 07/26/2011 12:49 AM, Guido Berhoerster wrote:
/var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
Security team: is this the correct setup we could use? (User and group are created in %pre scriptlet of the package).
Almost. Log directories shouldn't be writable by the daemon user¹.
Greeters are exec'd as the "lightdm" user need to create their logfiles somehow. GDM seems to do the same, from GNOME:Factory/gdm gdm.spec: %attr(750,gdm,gdm) %dir %{_localstatedir}/log/gdm -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
* Guido Berhoerster <gber@opensuse.org> [2011-07-29 16:21]:
* Ludwig Nussel <ludwig.nussel@suse.de> [2011-07-29 14:55]:
Pavol Rusnak wrote:
On 07/26/2011 12:49 AM, Guido Berhoerster wrote:
/var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
Security team: is this the correct setup we could use? (User and group are created in %pre scriptlet of the package).
Almost. Log directories shouldn't be writable by the daemon user¹.
Greeters are exec'd as the "lightdm" user need to create their logfiles somehow.
GDM seems to do the same, from GNOME:Factory/gdm gdm.spec:
%attr(750,gdm,gdm) %dir %{_localstatedir}/log/gdm
Looking at an actual system with gdm running /var/log/gdm has the sticky bit set (does gdm chmod it?) which seems like a solution to the issue. So should I use /var/log/lightdm root:lightdm 1770 instead? What do I need to do in order to get this into the rpmlint list of allowed users? -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Guido Berhoerster wrote:
* Guido Berhoerster <gber@opensuse.org> [2011-07-29 16:21]:
* Ludwig Nussel <ludwig.nussel@suse.de> [2011-07-29 14:55]:
Pavol Rusnak wrote:
On 07/26/2011 12:49 AM, Guido Berhoerster wrote:
/var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
Security team: is this the correct setup we could use? (User and group are created in %pre scriptlet of the package).
Almost. Log directories shouldn't be writable by the daemon user¹.
Greeters are exec'd as the "lightdm" user need to create their logfiles somehow.
GDM seems to do the same, from GNOME:Factory/gdm gdm.spec:
%attr(750,gdm,gdm) %dir %{_localstatedir}/log/gdm
Looking at an actual system with gdm running /var/log/gdm has the sticky bit set (does gdm chmod it?) which seems like a solution to the issue. So should I use
/var/log/lightdm root:lightdm 1770
instead?
That doesn't make it better and gdm isn't necessarily a role model :-) The clean solution would be to have the master process running as root create the log files before spawning child processes as unprivileged user. However, this is not a grave problem as long as you don't use logrotate.
What do I need to do in order to get this into the rpmlint list of allowed users?
Nothing, I just made the change. Filing a submit request against rpmlint is sufficient for this case, there is no formal process for registering users (yet). cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2011-08-01 09:27]:
Guido Berhoerster wrote:
* Guido Berhoerster <gber@opensuse.org> [2011-07-29 16:21]:
* Ludwig Nussel <ludwig.nussel@suse.de> [2011-07-29 14:55]:
Pavol Rusnak wrote:
On 07/26/2011 12:49 AM, Guido Berhoerster wrote:
/var/run/lightdm lightdm:lightdm 751 /var/log/lightdm lightdm:lightdm 750 /var/lib/lightdm lightdm:lightdm 750
The package is X11:xfce/lightdm.
Security team: is this the correct setup we could use? (User and group are created in %pre scriptlet of the package).
Almost. Log directories shouldn't be writable by the daemon user¹.
Greeters are exec'd as the "lightdm" user need to create their logfiles somehow.
GDM seems to do the same, from GNOME:Factory/gdm gdm.spec:
%attr(750,gdm,gdm) %dir %{_localstatedir}/log/gdm
Looking at an actual system with gdm running /var/log/gdm has the sticky bit set (does gdm chmod it?) which seems like a solution to the issue. So should I use
/var/log/lightdm root:lightdm 1770
instead?
That doesn't make it better and gdm isn't necessarily a role model :-) The clean solution would be to have the master process running as root create the log files before spawning child processes as unprivileged user. However, this is not a grave problem as long as you don't use logrotate.
Right, the above would prevent the lightdm daemon log being overwritten by a rogue greeter though. logrotate is no issue since logs are overwritten on restart as with other display managers.
What do I need to do in order to get this into the rpmlint list of allowed users?
Nothing, I just made the change. Filing a submit request against rpmlint is sufficient for this case, there is no formal process for registering users (yet).
OK, thanks. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
participants (4)
-
Guido Berhoerster -
Ludwig Nussel -
Pavol Rusnak -
Yamaban