Recommendations for applications on ownership and permissions

Directory Write Permissions

The application should not depend on having directory write permission outside /tmp, /var/tmp, its home directory and /var/opt/package, (where package is the name of the application package).

The application should not depend on owning these directories.

For these directories the application should be able to work with directory write permissions restricted by the "sticky bit". (Which prevents the application from removing files owned by another user. This is classically done with /tmp, to prevent accidental deletion of "foreign" files.)

File Write Permissions

The application should not depend on file write permission on files not owned by the user it runs under with the exception of its personal inbox /var/mail/username

File Read and execute Permissions

The application should not depend on having read permission to every file and directory.

Suid and Sgid Permissions

The application should not depend on the suid/sgid permissions of a file not packaged with the application. Instead, the distribution is responsible for assuming that all system commands have the required permissions and work correctly.

Rationale: Let us make security officers happy. Let's give them the freedom to take sgid/suid perms away, as long as they do not break the system's functionality.

Privileged users

"Normal" applications should not depend on running as a privileged user.

Special applications that have a reason to run under a privileged user, should outline these reasons clearly in their documentation, if they are not obvious as in the case of a backup/restore program. Users of the application should be informed, that "this application demands security privileges, which could interfere with system security".

The application should not contain binary-only software that requires being run as root, as this makes security auditing harder or even impossible.

Changing permissions

The application should not change permissions of files and directories that do not belong to its own package. To do so without a warning notice in the documentation is regarded as unfriendly act.

Removable Media (Cdrom, Floppy, etc.)

The application should be prepared to address removable media being mounted with options such as "noauto", "nouser", "nosuid" or "nodev". Also, the mount options "uid=X", "gid=X" should be awaited with a non-zero uid/gid value X.

Rationale: System vendors and local system administrators want to run applications from removable media, but want the possibility to control what the application can do.

Run-from-removable media applications should not depend on logging in as a privileged user.

Installable applications

If the installation of an application requires the execution of programs with superuser privileges, such programs should also be supplied in a human-readable form.

Without this, the local system administrator would have to blindly trust a piece of software, particularly its security.