-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/19/2015 06:19 AM, Ulrich Mueller wrote: > Hi all, As decided by the Council in its 20140812 meeting [1], > every developer is allowed to commit and maintain games ebuilds. > Furthermore: > > | There is consensus amongst council members that specific > policies | (e.g., games group, /usr/games hierarchy, and > games.eclass) should | be settled by the QA team. > > In yesterday's meeting the QA team has unanimously accepted the > following policies (see bug 537580 for details): > > 1. Directories /usr/games, /usr/games/bin, /usr/games/lib*, > /usr/share/games, /var/games, /etc/games, and /opt must be owned by > root:root and have permissions 755 (i.e. the default). > > This will require a small change in games.eclass, because > currently prepgamesdirs() changes ownership of these directories to > root:games and mode to 0750, so they are readable only by users > that are members of the "games" group. With attached patch, > games.eclass will no longer change permissions of the top-level > directories (mostly, these are identical to the FHS locations). > > If a package needs access control, it can still change ownership > and permissions of individual files, or of a subdir that it uses > exclusively. Owner and permission bits of directories that are > shared by multiple packages should be left alone, though. > > 2. A new group to allow setgid binaries to access shared > score/state files will be created. The name of this group will be > "gamestat". > > It is quite common for upstream packages to save shared scores or > other state files under /var/games, and access them with the > program (or a special helper) setgid to a low privilege group. In > most distros, that group is called "games" (see for example > Debian's policy in [2]). > > Unfortunately, the "games" group (gid 35) cannot be used for that > purpose in Gentoo, because by the long-standing games.eclass policy > it was/is used to control access to games. Therefore, regular users > on many Gentoo systems will be in this group. > > Gid 36 is available and can be used for the new "gamestat" group. I > don't think that we need a new eclass for this; creation of the > group would be simply one line in pkg_setup(): > > enewgroup gamestat 36 > > Ulrich > > [1] > http://www.gentoo.org/proj/en/council/meeting-logs/20140812-summary.txt > > [2] https://www.debian.org/doc/debian-policy/ch-customized-programs.html#s11.11 >
When this becomes more widespread, what action are users urged to take in order to "migrate" to the new system? Should our everyday user account be removed from the `games` group, and the group should be removed altogether? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJU5/muAAoJEJUrb08JgYgHSMMH/i6WPhk4gsQlFlMZVarsXrne /uyiFJ/IdQZUOWwgBH1Vl0WI55hPaqYKY2Myxv3tzFv2TDvAPa4NCZNZUBC1mPU0 d/JMhtPRTb74e3S/xy9yurwtprSIY1T843MO3/TUfEg6WS+oJnht4CqniZfYuMyl 9pqIW3XT+225TUnWSzsoaKcxGcORRtTBibUqNadDzCgkOfbtXrPx/FldwDySGAkW rNm0Q6yRbnZX+drwZbQAr33LjtfjkJKE52mRciO7UzHeRT8jECX3pdnQ+4eNxRsW +voNagAeqvisdi/zz6iKLaeUUb9TMhTnsk+5QK2TTP6kdMJeTByJXjHYGVMzZlQ= =M4Fe -----END PGP SIGNATURE-----
