On 2007/11/23 02:05, Soner Tari wrote: > On Sat, 2007-11-17 at 13:54 +0000, Stuart Henderson wrote: > > The attached version: > > > > - changes mkdir/chmod for an install in MESSAGE > > - adds notes about permissions on /dev/pf > > - calls setgid(), so /dev/pf only needs 640 not 644 > > (the code already assumes that username == groupname so > > I didn't add a new config parameter) > > Hmm, I think there is a problem with /dev/pf permission changes you > make. Since there may be other proxies which can use /dev/pf (like > smtp-gated) and they have their own uid/gid's, we should not > change /dev/pf's group to _p3scan. Thus the only option seems like > having 644 on /dev/pf and no group change, or perhaps a common group for > all proxies (the later seems unlikely).
There are always more options :) here are some. - a single 'pf-read-access' group and initgroups() in any software which needs to access it, then they can share a supplementary group - mknod some more devices with the same major/minor but different ownership and let the user specify the filename - open /dev/pf before dropping root and hold the FD, I didn't look to see how much reworking is needed of p3scan to do this but I think it's the most user-friendly option.