6787f00 Run quota_nld service as tty group

Authored and Committed by ppisar 4 years ago
    Run quota_nld service as tty group
    
    quota_nld daemon writes to /dev/pts/N files thag has 0620 mode and
    some_user:tty ownership.
    
    If the daemon runs as a systemd service, SELinux denies DAC_OVERRIDE
    capability that allows a root user to access files without matching
    permissions.
    
    We could fix it by adding a special SELinux rule, but SELinux
    considers DAC_OVERRIDE harmful and prefers fixing the file permissions
    instead.
    
    We could patch quota_nld source to setgid() to tty group, but the
    exact group name or ID is varies among distributions. This is not
    upstreamable.
    
    We could patch quota_nld to fork and setgid() to a group equaled to the
    targeted device group. But that seems way to complicated if we can
    simply patch systemd unit file to change group to "tty". Thus
    I selected this approach.
    
        
file modified
+4 -1
file modified
+1 -0