Add support for isolate group

2 files changed, 28 insertions, 2 deletions

diff --git a/PKGBUILD b/PKGBUILD
index 96ba19ef6e7b..5bb10cdf36a6 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,8 +1,11 @@
 # Maintainer: William Di Luigi <williamdiluigi@gmail.com>
 
+# chosen at random
+ISOLATE_GID=29267
+
 pkgname=isolate
 pkgver=r58.e8894c4
-pkgrel=1
+pkgrel=2
 pkgdesc="Sandbox for securely executing untrusted programs"
 arch=('any')
 url="https://github.com/ioi/isolate"
@@ -16,6 +19,7 @@ makedepends=(
   'asciidoc'
 )
 provides=('isolate')
+install=$pkgname.install
 
 source=(
   'git://github.com/ioi/isolate.git'
@@ -36,5 +40,5 @@ build() {
 
 package() {
   mkdir -p $pkgdir/usr/bin
-  cp $pkgname/isolate $pkgdir/usr/bin/isolate
+  install -D -m4750 -g$ISOLATE_GID $pkgname/isolate $pkgdir/usr/bin/isolate
 }
diff --git a/isolate.install b/isolate.install
new file mode 100644
index 000000000000..b9c5ae0f9f05
--- /dev/null
+++ b/isolate.install
@@ -0,0 +1,22 @@
+# chosen at random
+ISOLATE_GID=29267
+
+post_install() {
+  if ! getent group isolate >/dev/null; then
+    groupadd -g $ISOLATE_GID isolate
+
+    echo
+    echo ">>> If you want to run the isolate command without sudo, you should add"
+    echo ">>> yourself to the isolate group, like this:"
+    echo ">>>   # sudo usermod -a -G isolate <your user>"
+    echo ">>> However, keep in mind that:"
+    echo ">>>   1. You will need to logout, in order to make the change effective"
+    echo ">>>   2. No untrusted user should ever be allowed in the isolate group,"
+    echo ">>>      as they may exploit the isolate command to gain root access"
+    echo
+  fi
+}
+
+post_remove() {
+  groupdel isolate
+}