On Wed, Jan 18, 2012 at 9:11 AM, Simon Josefsson <[email protected]> wrote: ... > Thanks for help! I'm not sure we need a group, typically these files > are never written by the yhsm-ksmsrv process, only read. So the user > can use u=r permissions and root can put the files under some other > group with write permissions?
I'm not sure how Debian defaults should be decided in a case like this, but I think there is cause for groups. For yubikey-ksm, we use a group shared with a provisioning system for new AEAD files (credentials). We do not want to run that provisioning system as root. For yubikey-val, there is a SQLite database with OATH credentials. I think it is quite possible that you would want to use for example a web service to add records to this SQLite database. Again, running as non-root so a shared group seems appropriate. Of course, if adding groups is frowned upon, the package could add a user without a group and this could be a manual step performed if needed by the administrator. > Perhaps we should also align the username with the directory basename in > /var/cache? It seems confusing to have the username be separate from > the basename of the home directory. ... or maybe it is the directory names that should be aligned. I chose the yhsm- usernames to make it more apparent which package installed them. Maybe "yubikey-ksm" is more explanatory than "yhsm-ksmsrv" though... I have no strong opinion either way. > I don't see any need for a shell, right Fredrik? No, that's probably an unfortunate remain from development when I wanted to 'su' to the service user. Just figured out you could do 'sudo -u user bash' though, so I'll get by with fewer shells from here on =). /Fredrik -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

