Thank you both for replying.
The application I am packaging is mlocate (an implementation of the Unix locate program).
As you probably know, this is used to find (locate ) files on the filesystem in a quick way.
This application has two components:
- One that runs regularly as root (so it has access to all files), and collects file names in a database file.
- A second one, the userfacing binary, which reads that database and matches a parameter the user gives it.
Now, as there is a security issue with any user having access to those filenames stored in the database (after all, any user should not just be able to learn about any filenames of another user), the security mechanism used is that the database is stored with these permissions:
-rw-r----- 1 root locate 39663589 Nov 11 03:27 /var/lib/mlocate/mlocate.db
locate binary then is installed with these:
-rwx--s--- 1 root locate 38448 Mar 6 2019 /usr/bin/locate
So this way, only users in the
locate group can execute and therefore read the filename database.
In the upstream implementation (see here for the source) this group name is given at compile time (and compiled into the binary through config.h), and in the case of an spec/rpm packaging, again in the
Now with SFOS, that didn’t use to be a problem, I just use the
nemo group instead of
locate and everything is fine. Now with the situation in 3.4 multi-user, things aren’t as easy any more. I can not hardcode a group name anymore in the call to configure or make. It can either be
nemo depending on the installing device.
So either I have to do two separate builds, in which case I have to have a way to encode into the RPM which is the correct one for pkcon/zypper to select. Or I ship an RPM with both binaries and handle the wrong one in a
post script. Neither is very good.
I can also, like most regular Linux distributions do, create a new Unix group on the installing system. I also would like to avoid that if possible.
The best way would be if there was a defined UNIX group that is neither
defaultuser, but a third one that is stable among all devices, but secondary users will never be in that group. Hence my question.