<!ENTITY % dynamicdata SYSTEM "dynamic.ent" > %dynamicdata;
<!-- CVS revision of this document -->
- <!ENTITY cvs-rev "$Revision: 1.278 $">
+ <!ENTITY cvs-rev "$Revision: 1.279 $">
<!-- if you are translating this document, please notate the CVS
revision of the original developer's reference in cvs-en-rev -->
<item>Configuration files should be readable by the system user, if they
contain sensitive information the system user should not own them unless there
is a need for it to write to its own configuration files. Typically this means
-that the configuration files are owned by group, belong to the group of the
-system user and are mode 0640.
+that the configuration files are owned by root and by the system group created
+by the package and are mode 0640.
-<item>The system user if it generates state files (such as pidfiles) should
-have a directory under <tt>/var/run</tt> owned by it. This directory should be
-recreated by the init.d script since the state directory might be wiped out
-after a system boot.
+<item>If the The system user generates state files (such as pidfiles) it will
+need to have a directory under <tt>/var/run</tt> owned by itself. It can be
+created by the package maintainers script but, since it can be wiped after a
+system reboot, it should be be recreated by the init.d script since the state
+directory.
<item>If the daemon logs directly to <tt>/var/log</tt> logfiles should be
writable by the system user but, once rotated, they should not be either owned
or writable by it to prevent it from overwritting old log entries if a security
vulnerability in the software were to be used. If the daemon logs to a
-directory under <tt>/var/log/</tt> then it should be owned by the system user
-and rotated log files need not be changed ownership.
+directory under <tt>/var/log/</tt> then the directory should be owned by the
+system user and rotated log files need not be changed ownership.
</list>