diff options
| author | dholland <dholland> | 2010-07-08 04:57:36 +0000 |
|---|---|---|
| committer | dholland <dholland> | 2010-07-08 04:57:36 +0000 |
| commit | 9e689c4c03b0ec62893440afe2981ccb6b505771 (patch) | |
| tree | 2df7fde13e69eb07a9e22b7d3d36bc22d57f2fcf /mk/pkginstall | |
| parent | bc6606bbb8a4f12844793098582638f3c0d58e4e (diff) | |
| download | pkgsrc-9e689c4c03b0ec62893440afe2981ccb6b505771.tar.gz | |
Begin cleanup of setgid game infrastructure.
* Introduce USE_GAMESGROUP, which causes the games user and group to
be made available.
* Retain SETGIDGAME as an alias for USE_GAMESGROUP. Describe it as
deprecated.
* Always define GAMES_USER, GAMES_GROUP, GAMEMODE, GAMEDIRMODE, and
GAMEDATAMODE, regardless of whether USE_GAMESGROUP is turned on or not.
* Define these variables in defaults/mk.conf instead of separately in
every platform/*.mk file. The definitions used to be the same for each
of these platforms anyway, except for some where they were randomly
missing or commented out for no clear reason, leading to broken game
packages.
* Handle all these variables properly when unprivileged.
* Update the comments/documentation for these variables.
* Describe GAMEOWN and GAMEGRP as deprecated. These need to be
retained as aliases for GAMES_USER and GAMES_GROUP respectively for
supporting packages that use bsd.*.mk but should otherwise not be
used.
* Add GAMEDATA_PERMS and GAMEDIR_PERMS using GAMEDATAMODE and
GAMEDIRMODE respectively.
* Fix a bug I noticed that was improperly mixing the "games" group
and "games" user.
Things this does *not* do:
- get rid of GAMES_USER, for which there should ultimately be no need.
- move the declaration/documentation/default value of USE_GAMESGROUP
to a suitable place. (It is currently where SETGIDGAME was, which is
suboptimal.)
- touch any of the games, all of which need updating with at least
s/SETGIDGAME/USE_GAMESGROUP/ and probably more.
- update the guide to explain how to handle games properly.
Also, it would be nice if using GAMES_GROUP without setting
USE_GAMESGROUP=yes caused an error but as far as I know there isn't
any particularly good way to arrange this right now.
Note that these changes may alter the build/install behavior of broken
game packages, e.g. some may silently become setgid when they weren't
before or things like that. If you run into any of this file a PR.
While one might arguably bump the PKGREVISION of all games or other
packages using any of these variables as a precaution, that seems like
a bad idea. Instead, I think I will be bumping each game once it
itself has been fixed up to do everything the right way.
Diffstat (limited to 'mk/pkginstall')
| -rw-r--r-- | mk/pkginstall/bsd.pkginstall.mk | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/mk/pkginstall/bsd.pkginstall.mk b/mk/pkginstall/bsd.pkginstall.mk index 5aa8f884ca2..da501ad3ab1 100644 --- a/mk/pkginstall/bsd.pkginstall.mk +++ b/mk/pkginstall/bsd.pkginstall.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.pkginstall.mk,v 1.50 2010/06/15 19:23:56 joerg Exp $ +# $NetBSD: bsd.pkginstall.mk,v 1.51 2010/07/08 04:57:36 dholland Exp $ # # This Makefile fragment is included by bsd.pkg.mk and implements the # common INSTALL/DEINSTALL scripts framework. To use the pkginstall @@ -203,9 +203,14 @@ _PKG_USER_SHELL?= ${NOLOGIN} FILES_SUBST+= PKG_USER_HOME=${_PKG_USER_HOME:Q} FILES_SUBST+= PKG_USER_SHELL=${_PKG_USER_SHELL:Q} -# If SETGIDGAME == yes, then we need the "games" user and group. -.if defined(SETGIDGAME) && !empty(SETGIDGAME:M[yY][eE][sS]) -PKG_GROUPS+= ${GAMES_USER} +# If USE_GAMESGROUP == yes, then we need the "games" group. +# SETGIDGAME is a deprecated alias for USE_GAMESGROUP. +# +# For now we also create the "games" user; this should not be used and +# should be removed at some point. +.if (defined(USE_GAMESGROUP) && !empty(USE_GAMESGROUP:M[yY][eE][sS])) ||\ + (defined(SETGIDGAME) && !empty(SETGIDGAME:M[yY][eE][sS])) +PKG_GROUPS+= ${GAMES_GROUP} PKG_USERS+= ${GAMES_USER}:${GAMES_GROUP} .endif @@ -377,15 +382,30 @@ su-create-usergroup: ${_INSTALL_USERGROUP_UNPACKER} # SPECIAL_PERMS+= /path/to/suidroot ${SETUID_ROOT_PERMS} # # SETGID_GAMES_PERMS is a convenience definition to note an executable is -# meant to be setgid-game, and should be used as follows: +# meant to be setgid games, and should be used as follows: # # SPECIAL_PERMS+= /path/to/sgidgame ${SETGID_GAMES_PERMS} # +# GAMEDATA_PERMS and GAMEDIR_PERMS are convenience defintiions for files +# that are meant to be accessed by things that are setgid games. Because +# such files should normally be under ${VARBASE}, generally these +# definitions should be used roughly as follows: +# +# REQD_DIRS_PERMS+= /path/to/scoredir ${GAMEDIR_PERMS} +# REQD_FILES_PERMS+= /dev/null /path/to/scorefile ${GAMEDATA_PERMS} +# +# Note that GAMEDIR_PERMS should only be used when the game requires +# write access to scribble in its directory; many games do not, in which +# case REQD_DIRS instead of REQD_DIRS_PERMS can be used and GAMEDIR_PERMS +# is not needed. +# # Keywords: setuid setgid st_mode perms # SPECIAL_PERMS?= # empty SETUID_ROOT_PERMS?= ${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 4511 SETGID_GAMES_PERMS?= ${GAMES_USER} ${GAMES_GROUP} ${GAMEMODE} +GAMEDATA_PERMS?= ${GAMES_USER} ${GAMES_GROUP} ${GAMEDATAMODE} +GAMEDIR_PERMS?= ${GAMES_USER} ${GAMES_GROUP} ${GAMEDIRMODE} _INSTALL_PERMS_FILE= ${_PKGINSTALL_DIR}/perms _INSTALL_PERMS_DATAFILE= ${_PKGINSTALL_DIR}/perms-data |