Hi Laszlo, thanks for the feedback, I'll have another go at this later, as you have seen i've misunderstood the way this is implemented.
For me it was the goal was to have the file with group gnupg if i want that users/processes of group gnupg can read it i thought this is how it should be. And in #harmattan i've also got the advice from describing my problem that i should request chown to archive that. That together with the error message "File not installed" caused some frustration on my end. I agree with you that the bitching about aegis does not help us at all and we have to take it as it is. So i will read more of the documentation about this to get a better understanding how this is meant to work (In contrast to seeing it as a restriction that has to be worked around). We also need some more aegis privileges in some other kde packages at least i get errors that the cache can not be symlinked from /var/tmp etc. Regards, Andre At Tuesday 25 October 2011 10:23:46 Laszlo Papp wrote: > > I think this is acceptable on a typical "single user" device. > > I think it is a security principle violation, and it is more like just > a workaround. I am not sure it will pass the OVI QA process, but > certainly not recommended. > > I am trying to give you an example how to do it properly: > > debian/yourpackage.aegis: > > <aegis> > <request> > <credential name="UID::A"/> > <credential name="GID::B"/> > <for path="/usr/bin/helloworld"/> > <for path="/usr/sbin/foobar> > </request> > </aegis> > > A: The user of the relevant file or/and directory you wanted to modify by > chown B: The group of the relevant file or/and directory you wanted to > modify by chown > > You can get those user and group by using "ls -lda"-like commands. > > /usr/bin/helloworld: The process one which would like to have the > relevant access to the desired file or/and directory > /usr/sbin/foobar: Another process which would like to thave the > relevant access to the desired file or/and directory > > Note that you request the credential for the process which needs to > have the accesses and not the output file. > > If it is for maintainer scripts, it is better to use this: > <request context="INSTALL"> > ... > </request> > > In order to understand the logic: your process will run with the > relevant user/group privileges, and you do not need to use chown > because of this logic. > > Hope it helps. I am all for help, just ask if something is not clear. :) > > Best Regards, > Laszlo Papp -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Kde-mobile mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-mobile
