[Pkg-utopia-maintainers] Bug#1087525: polkitd: polkit-tmpfiles.conf overrides dpkg-statoverride
Michael Gold
michael at bitplane.org
Thu Nov 14 21:33:15 GMT 2024
Michael, thanks for the work-around.
On Thu, Nov 14, 2024 at 20:08:39 +0000, Simon McVittie wrote:
> setfacl -m group:staff:r-x /etc/polkit-1/rules.d
> setfacl -m user:michael:r-x /etc/polkit-1/rules.d
>
> which I believe neither dpkg nor systemd-tmpfiles will interfere with.
That was the first thing I tried, long ago; the access control lists get
deleted.
> The big advantage of the increasingly mis-named tmpfiles.d is that it's
> declarative, unlike maintainer scripts, which are imperative code that
> can in principle do absolutely anything, and as a result is difficult
> to analyze or reason about.
Out of curiosity, how do we tell whether it's mis-named or is just being
increasingly mis-used?
I like the idea of Debian packages being more declarative, but it seems
like something that ought to be handled by dpkg, which could maybe do a
better job of respecting areas such as /etc that are meant to be mostly
under administrator control (for example, when I've changed a file, I'm
prompted about whether to replace it with a new version).
A similar problem came up recently in Debian bug #1074076. The file(s)
can't be initially installed with proper ownership, because the owner is
a dynamic user and may not exist yet; so the postinst script needed to
run "adduser" and "chown", but it'd be nicer to do both declaratively.
(It was also noted that checking dpkg-statoverride is a hack.)
> if the upstream- or distro-provided permissions *changed*, that change
> would not be reflected on existing systems (unless applied redundantly
> by imperative code in the maintainer script), and that's maybe bad.
I think all that matters for your stated goal is that the directory is
not world-accessible when created. Even that doesn't really matter till
an administrator starts to change settings there; the installed list of
packages, and their default rules, are publically available.
-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20241114/402441d8/attachment.sig>
More information about the Pkg-utopia-maintainers
mailing list