ubuntu-appstore-developers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxx>]

On Mon, Jul 15, 2013 at 11:25:39PM -0400, Ted Gould wrote:
> On Mon, 2013-07-15 at 13:31 -0500, Jamie Strandboge wrote:
> > On 07/13/2013 12:15 AM, Ted Gould wrote:
> > > There should be two types of hooks, system and user.  System hooks run as the
> > > click package user and are expected to do things that are system wide.  User
> > > hooks run as the user installing the program and are meant to set up items in
> > > the user's individual home directory.  (Q: Is the click package user enough for
> > > security?  Do system hooks need to be root?)
> > 
> > From a security point of view, we prefer the system click hooks to run with the
> > least amount of privilege at all times, which is why we recommended a
> > non-privileged click user. This is easy enough for things like unpacking and
> > maintaining things in /opt/click.ubuntu.com/, but some hooks such as the the
> > apparmor click hook will need to run as root for at least part of the time (eg
> > to load apparmor policy into the kernel).
> 
> Then do you expect the click installer to run as root?  Or that the
> apparmor hook would be setuid?  How do you expect the permission
> transitions to work?

click runs as root and drops privileges as appropriate.

As for system hooks, how about we add a User field to the hook which
specifies the user name they run as?  That would save writing similar
privilege-dropping code in multiple hooks.

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]