On Wed, Aug 17, 2005, Ralf S. Engelschall wrote:
> On Wed, Aug 17, 2005, Matthias Kurz wrote:
>
> > Shouldn't all packages that use r_usr and/or r_grp get an option to
> > specify a "real" user/group ? Else, when someone gains access to one
> > package that uses r_usr/r_grp, he would also have access to files from
> > other packages. Also, this may support people who are "used" to use
> > special (common) users for such cases.
>
> We have those with_{user,group} options just in "amanda", "bacula"
> and one more package I cannot remember. And to be honest, the whole
> with_{user,group} I just accepted in those few packages because people
> wished it multiple times and I got tired of arguing and thought "well,
> it doesn't really hurt in those few packages, so ok".
>
> But the problem with those options is:
>
> 1. If we provide options for overwriting l_{m,r,n}{usr,grp} variables
> why don't we provide options for all those other nice l_xxx
> variables. ...
Nope, i spoke only about r_*, the "restricted" user/group.
My understanding for the necessity of such user/group is, that they can
do as few as possible harm, when they go wild. And the more packages exist,
that use the same "restricted" user the more packages are compromised,
when _one_ of them fails.
(mk)
--
Matthias Kurz; Fuldastr. 3; D-28199 Bremen; VOICE +49 421 53 600 47
>> Im prämotorischen Cortex kann jeder ein Held sein. (bdw) <<
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List openpkg-dev@openpkg.org
