11.1.Architecture specification strings

If a program needs to specify anarchitecture specification string insome place, it should select one of the strings provided bydpkg-architecture-L. The strings are in the formatos-arch, though the OSpart is sometimes elided, as when the OS is Linux.

Note that we don’t want to usearch-debian-linux to apply to therulearchitecture-vendor-os since this would make our programsincompatible with other Linux distributions. We also don’t use somethinglikearch-unknown-linux, since theunknown does not look verygood.

11.2.Daemons

The configuration files/etc/services,/etc/protocols, and/etc/rpc are managed by thenetbase package and must not bemodified by other packages.

If a package requires a new entry in one of these files, the maintainershould get in contact with thenetbase maintainer, who will add theentries and release a new version of thenetbase package.

The configuration file/etc/inetd.conf must not be modified by thepackage’s scripts except via theupdate-inetd script or theDebianNet.pm Perl module. See their documentation for details on howto add entries.

If a package wants to install an example entry into/etc/inetd.conf,the entry must be preceded with exactly one hash character (#). Suchlines are treated as “commented out by user” by theupdate-inetdscript and are not changed or activated during package updates.

11.3.Using pseudo-ttys and modifying wtmp, utmp and lastlog

Some programs need to create pseudo-ttys. This should be done usingUnix98 ptys if the C library supports it. The resulting program must notbe installed setuid root, unless that is required for otherfunctionality.

The files/var/run/utmp,/var/log/wtmp and/var/log/lastlogmust be installed writable by grouputmp. Programs which need tomodify those files must be installed setgidutmp.

11.4.Editors and pagers

Some programs have the ability to launch an editor or pager program toedit or display a text document. Since there are lots of differenteditors and pagers available in the Debian distribution, the systemadministrator and each user should have the possibility to choose theirpreferred editor and pager.

In addition, every program should choose a good default editor/pager ifnone is selected by the user or system administrator.

Thus, every program that launches an editor or pager must use the EDITORor PAGER environment variable to determine the editor or pager the userwishes to use. If these variables are not set, the programs/usr/bin/editor and/usr/bin/pager should be used, respectively.These commands may be invoked explicitly (e.g., as/usr/bin/editor) orvia a PATH search (e.g., aseditor).

These two files are managed through thedpkg “alternatives”mechanism. Every package providing an editor or pager must call theupdate-alternatives script to register as an alternative for/usr/bin/editor or/usr/bin/pager as appropriate. Thealternative should have a slave alternative for/usr/share/man/man1/editor.1.gz or/usr/share/man/man1/pager.1.gz pointing to the corresponding manualpage.

If it is very hard to adapt a program to make use of the EDITOR or PAGERvariables, that program may be configured to use/usr/bin/sensible-editor and/usr/bin/sensible-pager as theeditor or pager program respectively. These are two scripts provided inthe sensible-utils package that check the EDITOR and PAGER variables andlaunch the appropriate program, and fall back to/usr/bin/editor and/usr/bin/pager if the variable is not set.

A program may also use the VISUAL environment variable to determine theuser’s choice of editor. If it exists, it should take precedence overEDITOR. This is in fact what/usr/bin/sensible-editor does.

It is not required for a package to depend oneditor andpager,nor is it required for a package to provide such virtualpackages.[2]

11.5.Web servers and applications

This section describes the locations and URLs that should be used by allweb servers and web applications in the Debian system.

1. Cgi-bin executable files are installed in the directory

   /usr/lib/cgi-bin

   or a subdirectory of that directory, and the script

   /usr/lib/cgi-bin/.../cgi-bin-name

   should be referred to as

   http://localhost/cgi-bin/.../cgi-bin-name

2. (Deleted)

3. Access to images

   Images for a package should be stored in/usr/share/images/packageand referred to through an alias/images/ as:

   http://localhost/images/package/filename

4. Web Document Root

   Web Applications should try to avoid storing files in the WebDocument Root. Instead they should use the /usr/share/doc/packagedirectory for documents. If access to the web document root isunavoidable then use

   /var/www/html

   as the Document Root. This might be just a symbolic link to thelocation where the system administrator has put the real documentroot.

5. Providing httpd and/or httpd-cgi

   All web servers should provide the virtual packagehttpd. If aweb server has CGI support it should providehttpd-cgiadditionally.

   All web applications which do not contain CGI scripts should dependonhttpd, all those web applications whichdo contain CGIscripts, should depend onhttpd-cgi.

11.6.Mail transport, delivery and user agents

Debian packages which process electronic mail, whether mail user agents(MUAs) or mail transport agents (MTAs), must ensure that they arecompatible with the configuration decisions below. Failure to do thismay result in lost mail, brokenFrom: lines, and other serious braindamage!

The mail spool is/var/mail and the interface to send a mail messageis/usr/sbin/sendmail (as per the FHS). On older systems, the mailspool may be physically located in/var/spool/mail, but all accessto the mail spool should be via the/var/mail symlink. The mailspool is part of the base system and not part of the MTA package.

All Debian MUAs, MTAs, MDAs and other mailbox accessing programs (suchas IMAP daemons) must lock the mailbox in an NFS-safe way. This meansthatfcntl() locking must be combined with dot locking. To avoiddeadlocks, a program should usefcntl() first and dot locking afterthis, or alternatively implement the two locking methods in a nonblocking way.[3] Using the functionsmaillock andmailunlock provided by theliblockfile* packages is therecommended way to accomplish this.

Mailboxes are generally either mode 600 and owned by user or mode 660and owned byuser:mail.[4] The local system administrator maychoose a different permission scheme; packages should not makeassumptions about the permission and ownership of mailboxes unlessrequired (such as when creating a new mailbox). A MUA may remove amailbox (unless it has nonstandard permissions) in which case the MTA oranother MUA must recreate it if needed.

The mail spool is 2775root:mail, and MUAs should be setgid mail todo the locking mentioned above (and must obviously avoid accessing otherusers’ mailboxes using this privilege).

/etc/aliases is the source file for the system mail aliases (e.g.,postmaster, usenet, etc.), it is the one which the sysadmin andpostinst scripts may edit. After/etc/aliases is edited theprogram or human editing it must callnewaliases. All MTA packagesmust come with anewaliases program, even if it does nothing, butolder MTA packages did not do this so programs should not fail ifnewaliases cannot be found. Note that because of this, all MTApackages must haveProvides,Conflicts andReplaces: mail-transport-agent control fields.

The convention of writingforwardtoaddress in the mailbox itself is not supported. Use a.forward file instead.

Thermail program used by UUCP for incoming mail should be/usr/sbin/rmail. Likewise,rsmtp, for receivingbatch-SMTP-over-UUCP, should be/usr/sbin/rsmtp if it is supported.

If your package needs to know what hostname to use on (for example)outgoing news and mail messages which are generated locally, you shoulduse the file/etc/mailname. It will contain the portion after theusername and@ (at) sign for email addresses of users on the machine(followed by a newline).

Such a package should check for the existence of this file when it isbeing configured. If it exists, it should be used without comment,although an MTA’s configuration script may wish to prompt the user evenif it finds that this file exists. If the file does not exist, thepackage should prompt the user for the value (preferably usingdebconf) and store it in/etc/mailname as well as using it inthe package’s configuration. The prompt should make it clear that thename will not just be used by that package. For example, in thissituation theinn package could say something like:

Pleaseenterthe"mail name"ofyoursystem.Thisisthehostnameportionoftheaddresstobeshownonoutgoingnewsandmailmessages.Thedefaultissyshostname,yoursystem's host name.Mailname["syshostname"]:

where syshostname is the output ofhostname--fqdn.

11.7.News system configuration

All the configuration files related to the NNTP (news) servers andclients should be located under/etc/news.

There are some configuration issues that apply to a number of newsclients and server packages on the machine. These are:

/etc/news/organization

A string which should appear as the organization header for allmessages posted by NNTP clients on the machine

/etc/news/server

Contains the FQDN of the upstream NNTP server, or localhost if thelocal machine is an NNTP server.

Other global files may be added as required for cross-package newsconfiguration.

11.8.Programs for the X Window System

11.9.Perl programs and modules

Perl programs and modules should follow the current Perl policy.

The Perl policy can be found in theperl-policy files in thedebian-policy package. It is also available from the Debian webmirrors athttps://www.debian.org/doc/packaging-manuals/perl-policy/.

11.10.Emacs lisp programs

Please refer to the “Debian Emacs Policy” for details of how to packageemacs lisp programs.

The Emacs policy is available indebian-emacs-policy.gz of theemacsen-common package. It is also available from the Debian web mirrorsathttps://www.debian.org/doc/packaging-manuals/debian-emacs-policy.

11.11.Games

The permissions on/var/games are mode 755, ownerroot and grouproot.

Each game decides on its own security policy.

Games which require protected, privileged access to high-score files,saved games, etc., may be made set-group-id (mode 2755) and owned byroot:games, and use files and directories with appropriatepermissions (770root:games, for example). They must not be madeset-user-id, as this causes security problems. (If an attacker cansubvert any set-user-id game they can overwrite the executable of anyother, causing other players of these games to run a Trojan horseprogram. With a set-group-id game the attacker only gets access to lessimportant game data, and if they can get at the other players’ accountsat all it will take considerably more effort.)

Some packages, for example some fortune cookie programs, are configuredby the upstream authors to install with their data files or other staticinformation made unreadable so that they can only be accessed throughset-id programs provided. You should not do this in a Debian package:anyone can download the.deb file and read the data from it, sothere is no point making the files unreadable. Not making the filesunreadable also means that you don’t have to make so many programsset-id, which reduces the risk of a security hole.

As described in the FHS, binaries of games should be installed in thedirectory/usr/games. This also applies to games that use the XWindow System. Manual pages for games (X and non-X games) should beinstalled in/usr/share/man/man6.

Internally, the package system normalizes the GNU triplets and theDebian arches into Debian arch triplets (which are kind of invertedGNU triplets), with the first component of the triplet representingthe libc and ABI in use, and then does matching against thosetriplets. However, such triplets are an internal implementationdetail that should not be used by packages directly. The libc and ABIportion is handled internally by the package system based on the osand cpu.

The Debian base system already provides an editor and a pagerprogram.

If it is not possible to establish both locks, the system shouldn’twait for the second lock to be established, but remove the firstlock, wait a (random) time, and start over locking again.

There are two traditional permission schemes for mail spools: mode600 with all mail delivery done by processes running as thedestination user, or mode 660 and owned by group mail with maildelivery done by a process running as a system user in group mail.Historically, Debian required mode 660 mail spools to enable thelatter model, but that model has become increasingly uncommon and theprinciple of least privilege indicates that mail systems that use thefirst model should use permissions of 600. If delivery to programs ispermitted, it’s easier to keep the mail system secure if the deliveryagent runs as the destination user. Debian Policy therefore permitseither scheme.

This implements current practice, and provides an actual policy forusage of thexserver virtual package which appears in the virtualpackages list. In a nutshell, X servers that interface directly withthe display and input hardware or via another subsystem (e.g., GGI)should providexserver. Things likeXvfb,Xnest, andXprt should not.

“New terminal window” does not necessarily mean a new top-level Xwindow directly parented by the window manager; it could, if theterminal emulator application were so coded, be a new “view” in amultiple-document interface (MDI).

For the purposes of Debian Policy, a “font for the X Window System”is one which is accessed via X protocol requests. Fonts for the Linuxconsole, for PostScript renderer, or any other purpose, do not fitthis definition. Any tool which makes such fonts available to the XWindow System, however, must abide by this font policy.

This is because an X client may be displayed by a remote X server,in which case X fonts are provided by the remote X server, notretrieved locally; the Debian package system is empowered to dealonly with the local file system.

Note that this mechanism is not the same as using app-defaults;app-defaults are tied to the client binary on the local file system,whereas X resources are stored in the X server and affect allconnecting clients.