That is absolutely insecure. Upstream should probably provide a way to provide overrides to those files, which probably means also dealing with prioritizing an override location over /usr/share defaults.
Some packages have used /opt to do things like this in the past. Personally, I try to avoid using /opt with system packages, because it differentiates how things are organized for packages in the root filesystem. Some options would be things like: $HOME/.config/<package>/... or some XDG directory for overrides. Regards, Kevin On Sat, Jul 31, 2021 at 01:26:00PM +0000, Vince via aur-general wrote: > Hi everyone! > Thank you for the help on the the thread eariler, I found the advice > and examples very useful. I have posted a request for review of my > PKGBUILD over IRC, but I would appreciate any criticism here too. > > I have uploaded the PKGBUILD, and two files that would come with it > (launcher.desktop and launcher.sh). There are a couple decisions I > made that are unconventional, so I'll list them here: > > 1. As George suggested, I renamed my package from `rexpaint-bin` to > just `rexpaint`, since there are no sources available. > > 2. The server hosting the program blocks Curl's user agent. As far as > I can tell, the convention is to use "Mozilla" as a user agent > instead. However, I have opted to use "PKGBUILD" as the agent, so I > avoid accidentally messing up any statistics that may be collected > upstream. > > 3. I have used standard package permissions as far as I can tell, > except for `/usr/share/rexpaint/images`. The program saves data > into this directory, so it must be 777. > > 4. I am not sure what to do with `/usr/share/rexpaint/data`. It > contains data such as fonts and palettes, which might be edited by > the user during usage. Right now I have assumed that the user will > not do that, so it is not listed in `$backup` and its mode is 755. > I have sent an email upstream asking about this, and am waiting for > a response. > > 5. The program tries to write logs into the Working Directory > (`/usr/share/rexpaint`), but it cannot do this because I have set > its mode to 755. However, giving the everyone write permissions in > `/usr/share/rexpaint` seems insecure. Please advise. > > As stated before, I have emailed upstream to ask if it's okay that I > publish this packaging to the repositories. This is not required by > the license, but I am too young to be making enemies, and it would be > nice to have some upstream. I will publish it when I get the goahead, > or if he takes more than 24h to reply. > > All feedback is appreciated. > > Thank you in advance, > Vincent -- Kevin Morris Software Developer Identities: - kevr @ Libera
signature.asc
Description: PGP signature
