On Sun, Dec 27, 2020 at 11:32 PM Dan Čermák <dan.cermak@xxxxxxxxxxxxxxxxxxx> wrote: > I have not really looked into the source code, so forgive me if that is > obvious, but why is the snebu executable setuid? This is for 1) Privilege separation -- application owns the files in the target repository (/var/lib/snebu); you will typically be running the backup front-end (snebu-client) as root so it can read everything, but the snebu binary that gets called doesn't need root access. 2) Permissions model -- You can set up service user accounts for each host (client) that is submitting backups (so they can see only their own backup, or they can submit backups but not expire old backups [expiration permissions would be assigned to a separate maintenance user for further protection], etc.). This protects you in the case of a client compromise so an attacker can't delete all your backups. > The spec file is mostly good, I'd suggest a few changes though: > - use macros instead of hardcoded paths, e.g. %_bindir instead of > /usr/bin/ > - don't disable the debug package generation, Fedora packages must > include debuginfo versions > - replace make %{?_smp_mflags} with: > %set_build_flags > %make_build > - mark LICENSE.txt as %license and not as %doc > - there is no need to install the documentation under > /usr/share/doc/snebu manually, you can just add the following into > %files and rpmbuild will copy the files into the right place: > %doc readme.md > %doc snebu.adoc OK, will do. > - I'd recommend to replace the %pre check for the snebu user with a > systemd-sysusers config: > https://fedoraproject.org/wiki/Changes/SystemdSysusers I tried this initially but couldn't get it to work inside a VM booted from a Fedora Live image. I followed the instructions here: https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ and created the appropriate file snebu.sysusers, but the pre install with this line in it: %sysusers_create_compat %{SOURCE1} I'll test again with a full install in the VM instead of the live install and see if that makes a difference. Also, if I want the spec file to be compatible with older RHEL releases (that predate the %sysusers_create_compat macro), should that just be a separate spec for each version? or should I wrap the above in a conditional (test for the macro and fallback to manual account creation)? > And one general issue not directly related to rpmbuild itself: does your > Makefile honor the CFLAGS & LDFLAGS environment variables? Because if it > does not, then all the compiler hardening flags that %set_build_flags > inject will be just ignored. I'll add this in. Also the make file needed the $(CC) variable instead of gcc. Meanwhile, a couple additional questions. Right now I have a template of the spec file in the project's Git repo. Should the spec file be in its own repo (or possibly an orphaned branch of this repo)? That way all packaging-specific items can be versioned separately from the app itself. Secondly, I'll put the above Makefile modifications in shortly, but it may be a bit before the next posted release of Snebu. So for the purpose of the RPM, should I put them in as patches (that are owned by the rpm) until the next Snebu release comes out? Thanks. --Derek Pressnall _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx