Subject: Re: #define name for non-root pkg_install tools
To: None <tech-pkg@netbsd.org>
From: Mark Funkenhauser <mfunkenhauser@rogers.com>
List: tech-pkg
Date: 04/28/2004 09:52:03
"Todd Vierling" <tv@duh.org> wrote in message
news:<Pine.NEB.4.58.0403291419540.12603@server.duh.org>...
> On Mon, 29 Mar 2004, Hubert Feyrer wrote:
>
> : > The diff follows. Of course, I'd like to choose a different name
for the
> : > symbol and put it into pkgtools/pkg_install/Makefile, rather than
potting an
> : > OS-specific symbol there. Is there a preferred naming convention
here? I
> : > was thinking "PKG_INSTALL_AS_NONROOT", but that sounds clunky.
> :
>
> * a warning is issed in pkg_delete if getuid() != 0. This is rather
> pointless in a gid-based administration system, and doubly so under
> Interix where even "Administrator" is not uid 0.
>
With Interix, there are potentially two different Administrator user
accounts:
localSystem+Administrator and PrincipalDomain+Administrator
(uid = 197108 and uid = 1049594 respectively)
The domain Administrator account is present only if your system is a
member of the domain.
The utility /bin/pdomain tells you what your principalDomain is.
And these accounts are treated specially by Interix. "Administrator"
user accounts are
granted special privileges and can bypass more security checks than
other user accounts
- even those accounts that may be members of the local system
"Administrators" account.
(Yes - Interix is not like Windows in this respect)
If given the choice, you should always use the 197108 uid account.
Using the numeric value is best because not all Windows systems
have an account with the symbolic name "Administrator" (due to admins
renaming accounts
or non-english Windows systems having a localalized form for name
'Administrator')
And using the symbolic name "Administrator" may not refer to the local
system account.
If the system is a member of a domain, the name "Administrator"
will be interpreted as the domain Administrator.
> : So it's system dependent - if the system in question doesn't really
know
> : how to do things w/o system privileges (and thus probably always
runs as
> : Administrator or so),
>
> That's not how it works. On Interix, "Administrator" does have system
level
> privileges, but so does any user of group "+Administrators".
Interix treats the Administrator user accounts specially - they are
somewhat more
powerful than users in the Administrators group.
The Posix Conformance Doc (PCD) on the SFU3.5 distribution media
summarizes the differences in the "appropriate privileges" section.
> Typically,
> system management on such systems is not done as the single
centralized user
> "Administrator".
Correct. A lot of users do not have access to the Administrator user
account
so they have to make do with being in the Administrators group.
So your scheme based on GID access is a good one.
>
> What do you think I should do with the changes to address the two
issues
> above?
I think what you've done so far is the correct approach.
The only question I have is whether you need to change the (getuid() ==
0) check
to a check if the user is privileged
(ie. is user an Administrator or a member of the local Administrators
group.
So the check becomes: getgroups(1000, grpbuf); does any gid in
grpbuf == 131616 )
I guess it depends if any of the pkg_* tools assume that the current
user is privileged.
Do the tools require chmod() or chown() or chgrp() to always succeed ?
mark