Overview
Request 1180248 accepted
- Created by manfred999
- In state accepted
Request History
manfred999 created request
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
staging-bot added openSUSE:Factory:Staging:adi:6 as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:6"
staging-bot accepted review
Picked "openSUSE:Factory:Staging:adi:6"
darix accepted review
Accepted review for by_group opensuse-review-team request 1180248 from user staging-bot
anag+factory accepted review
Staging Project openSUSE:Factory:Staging:adi:6 got accepted.
anag+factory approved review
Staging Project openSUSE:Factory:Staging:adi:6 got accepted.
anag+factory accepted request
Staging Project openSUSE:Factory:Staging:adi:6 got accepted.
why does the service needs root permissions to begin with? why not have the correct target users right in the service file?
1) this package, resp. its invocation mechanism, is modelled after the package mlocate, as it is intended to be able to replace the unsupported package mlocate, and therefore wants to support all features of mlocate. 2) mlocate origins in sysV era where one had to switch user with su. It has the feature that the sysadmin could choose in /etc/sysconfig/locate whether he/she wants to run the locate service as user root or user nobody (default), so either all files or only publicly visible files are harvested. 3) to my knowledge, systemd does not support a dynamical selection of the invoked user, so User=${RUN_UPDATEDB_AS} does not work.
So there are two possibilities, either invoke the service with User=nobody and do not support the user selection capability provided by mlocate, or use "su".
Side note: Originally, plocate is invoked as root with SETGID bit set to collect all data. On query time, output is filtered according to the invoking user. As SETUID/SETGID flags are not very appreciated in general, I decided to remove the set-group bit and do things the same way as mlocate does.