rpms/tinyerp/FC-3 tinyerp.spec,1.7,1.8
Paul Howarth
paul at city-fan.org
Fri Dec 16 10:14:56 UTC 2005
Dan Horák wrote:
> I think that I as the packager can say something too :-)
>
>
>>1. Why /bin/bash?
>>/bin/bash should _never_ be used for reserved accounts - It's a security
>>risk.
>>
>
>
> There are two thing - running a pure application as root or having an
> user for it. Some real shell is needed because the startup script does
> "su -l tinyerp -c /tmp/real_startup_script". And only root can login to
> this account (at least on my FC4). If there is an other way how to do
> it, please, let me know.
How about having /sbin/nologin as the shell for tinyerp and using:
runuser -s /bin/sh -c /tmp/real_startup_script tinyerp
That's the equivalent of what I use in the bittorrent package.
This approach will still present a problem for anyone mounting /tmp with
the noexec option though. At the minimum I'd have the initscript use a
variable (configurable in /etc/sysconfig/tinyerp) for where to put the
real_startup_script, so that it can be run from some other directory.
Paul.
More information about the fedora-extras-list
mailing list