Getting directory permissions correct and consistent
between packages is a common problem in distributions;
it's often made worse by sets of packages that attempt
to be installable across multiple versions of the OS.
This is a resolvable problem in the small, but getting
all packages consistent everywhere is clearly untenable,
esp. if directory permissions change over time.
Several ways of dealing w/ this problem suggest themselves:
0) continue as we have been
Pro - easy to do
Con - annoying verification errors, inconsistent
results depending on order of package installation.
1) Fail package installation if new package has different
permissions than existing (already installed) directories.
Pro - easy, solves consistency problem
Con - pushes problem onto user of package, since
problem is caught at install time. Makes changes
very hard.
2) Define a directory permission in just one package,
and make all packages that install into that directory
depend on that package.
Pro - easy to understand.
Con - difficult to manage, leads to a lot of packages
if granularity of directory installations is fine.
ISV implementation more difficult.
Another approach that we're considering is the following:
*) Use a directory of template files (identified by pkg name)
that define default directory permissions, uid & gid.
In this file, both explicit specifications and matching
rules are permitted.
For example:
/etc/dirperms.d/SUNWcs might contain:
/* user=root group=bin mode=755
/usr user=root group=sys mode=755
/var user=root group=sys mode=755
/var/pkg/* user=root group=root mode=755
Explicit matches are always favored, and the
longest possible match is preferred as well.
We anticipate that few packages will actually deliver such
files; the default one in SUNWcs should do for most. Conflicting
permissions in templates cause error messages.
*) The default directory permissions would be applied to
* directories w/o explicit permissions
* directories where package manifests explicitly
conflict in directory permissions
We anticipate that this mechanism should greatly reduce the
difficulty of getting directory permissions correct, as most
packages can simply not specify them.
Possible problem is that different packages could deliver
conflicting template specifications. In this case, the
effect is undefined, and pkg verify will complain about
this situation.