Recommendations for applications on ownership and permissions

Directory Write Permissions

The application should not depend on having directory write permission outside /tmp, /var/tmp, it's home directory and /var/opt/<package>, where <package> is the name of the application package.

The application should not depend on owning these directories.

For these directories the application should be able to work with directory write permissions restricted by the "sticky bit". (Which prevents the application to remove files owned by another user. This is classically done with /tmp, to prevent accidental deletion of "foreign" files.)

File Write Permissions

The application should not depend on file write permission on files not owned by the user it runs under with the exception of its personal inbox /var/mail/<username>

File Read and execute Permissions

The application should not depend on having read permission to every file and directory.

Suid and Sgid Permissions

The application should not depend on suid/sgid permissions on a file not packaged with the application. Instead, the distribution is responsible for all system commands having the required permissions and working correctly.

Rationale: Let us make security officers happy. Lets give them the freedom to take sgid/suid perms away, as long as they do not break the systems functionality.

Privileged users

"Normal" Applications should not depend on running as a privileged user

Special applications that have a reason to run under a privileged user, should outline these reasons clearly in their documentation, if they are not obvious as in the case of a backup/restore program. Users of the application should be informed, that "this application demands security privileges, which could infer with system security".

The application should not contain binary only software which it depends on running as root, as this makes security auditing harder or even impossible.

Changing permissions

The application should not change permissions of files and directories not being part of their package. To do so without a warning notice in the documentation is regarded as unfriendly act.

Removable Media (Cdrom, Floppy,...)

The application should be prepared on removable media being mounted with some of the options "noauto", "nouser", "nosuid" or "nodev". Also the mount options "uid=X", "gid=X" should be awaited with a non-zero uid/gid value X.

Rationale: System vendors and local system administrators want to run applications from removable media, but want the possibility to control what the application can do.

Run-from-removable media applications should not depend on logging in as a privileged user.

Installable applications

If the Installation of an Applications requires the execution of programmes with superuser privileges, then this programmes should be supplied (also) in a human readable form.

If not doing so, the local system administrator would have to blindly trust a piece of software, he can not check for security.