[packagers] File ownership!

[Dag Wieers]

Hi Morten,

On Mon, 6 Nov 2006, Morten Kjeldgaard wrote:
> In the "good old days" when I started working with UNIX, most executables in
> /bin and /usr/bin were owned by user "bin". Only in the case that a program
> specifically needed root access, for example /bin/passwd, it would be owned by
> user 'root'. The advantage of this approach is that a programming error,
> buffer overrun or the like in some random program would not let people obtain
> root access. This is the reason that every /etc/password file on every *NIX
> machine on the planet  contains an entry for user bin.

How would root-ownership of a binary cause root-access when there's a 
buffer overrun ? If you run it as a user, you can only exploit it with 
user-priviliges, not root-priviliges.

The only exception to this rule is when binaries are setuid _and_ the 
ownership is root. If I'm not mistaken, the bin-user is legacy and makes 
absolutely no difference.

 
> I think this is a good practice, and I have employed it in my packages ever
> since when. All it takes is to use the %defattr(-,bin,bin) in the %files
> section.

Since I don't think it¹matters and I don't think it is good practice 
either. It's very superficial really and people may somehow start to 
think it matters because it is being done. And if people think it matters 
where it doesn't that's where the trouble starts.


> I would like to suggest that RPMforge adopts this convention as well.

Besides that it doesn't make a difference and upstream isn't doing it 
anyway, it would add some complexity to the SPEC files (every SPEC file) 
that is really unwanted as well.

But if you have any references to documents that explain it with 
use-cases, I'm interested to read those.

Kind regards,
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[all I want is a warm bed and a kind word and unlimited power]