Home/ Questions/Q 7164449
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T14:04:39+00:00

So I’m making a debian package, but I’m having trouble with doing some permissions

  • 0

So I’m making a debian package, but I’m having trouble with doing some permissions settings that I want to do after all the files have been copied over. It’s a networked application and uses libpcap. So normally it would require root privileges, but that’s a big security problem. (Since any compromise in my program would mean full root access to the attacker) So instead, we go the route of creating a group with pcap permissions granted and then add the installing user to that group.

In the makefile it looks like:

setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/myProgram
groupadd -f myGroup
usermod -a -G myGroup $(SUDO_USER)

Which totally works fine if you run “sudo make install”. But when I try to do this inside a postinst script in a debian package, I get this:

var/lib/dpkg/info/myProgram-1.0.postinst: line 13: SUDO_USER: command not found
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -Z, --selinux-user            new SELinux user mapping for the user account

Clearly because the $(SUDO_USER) variable is empty. How else is this done? Do I have to prompt the user for his/her username? That sounds awfully ugly.
Or maybe you’re just not supposed to do this kind of configuration in a debian package?

(IE: Wireshark has the same issue here, but they seem to just leave it up to the user, and not mess with permissions at installation at all.)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You got it right: You aren’t supposed to know the username of the “installing user”, since there might be none. Imagine your package is run by apt-cron, then the whole concept of “installing user” makes no sense.

    Add a system-wide group with the appropriate permissions and leave a message in the installation log that users need to be added to the group. Or, alternatively, use a pre-existing system group that might suit your purpose.

    • 0