* [gentoo-dev] emerge system through sandbox
@ 2001-12-06 4:18 Geert Bevin
2001-12-06 4:31 ` Martin Schlemmer
0 siblings, 1 reply; 4+ messages in thread
From: Geert Bevin @ 2001-12-06 4:18 UTC (permalink / raw
To: gentoo-dev
Hi,
I performed an entire 'emerge system' on a freshly installed machine
with the sandbox installed beforehand. This made it possible to check
all system packages for accedental writes outside the allowed dirs.
Below is the list of packages that failed and the details :
fileutils
mkdir: /usr/tmp/cf19190
mkdir: /usr/lib/cf19190
findutils
mkdir: /var/spool/locate
gpm
mkdir: /etc/gpm
ncurses
open_wr: /usr/tmp/conftest9012345
open_wr: /usr/tmp/conftest9012346
patch
open_wr: /usr/tmp/conftest9012345
open_wr: /usr/tmp/conftest9012346
pwdb
open_wr: /usr/portage/sys-libs/pwdb/files/.
sh-utils
mkdir: /usr/tmp/cf8115
mkdir: /usr/lib/cf8115
tar
open_wr: /usr/tmp/conftest9012345
open_wr: /usr/tmp/conftest9012346
textutils
mkdir: /usr/tmp/cf27156
mkdir: /usr/lib/cf27156
Out of this I conclude that it might be a good idea to open up
'/usr/tmp' for writing too. Anyway, it's linked to /var/tmp and ormally
the dirs that are created in /usr/tmp by these packages are deleted
immediately afterwards.
I'm currently building an entire gnome desktop through the sandbox.
There's already one problem which I've discussed with Hallski. Quite
some packages need to write to '/var/log/scrollkeeper.log' during their
installation. Hallski is going to investigate how this could be helped,
but in the meantime I've opened up my local sadbox for this file
temporarely.
Best regards,
Geert
--
Geert Bevin
the Leaf sprl/bvba
"Use what you need" Pierre Theunisstraat 1/47
http://www.theleaf.be 1030 Brussels
gbevin@theleaf.be Tel & Fax +32 2 241 19 98
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] emerge system through sandbox
2001-12-06 4:18 [gentoo-dev] emerge system through sandbox Geert Bevin
@ 2001-12-06 4:31 ` Martin Schlemmer
2001-12-06 4:41 ` Geert Bevin
0 siblings, 1 reply; 4+ messages in thread
From: Martin Schlemmer @ 2001-12-06 4:31 UTC (permalink / raw
To: Gentoo-Dev
[-- Attachment #1: Type: text/plain, Size: 571 bytes --]
On Thu, 2001-12-06 at 06:18, Geert Bevin wrote:
> Hi,
>
> I performed an entire 'emerge system' on a freshly installed machine
> with the sandbox installed beforehand. This made it possible to check
> all system packages for accedental writes outside the allowed dirs.
> Below is the list of packages that failed and the details :
>
Isnt it a test by these packages to check if the user have
write permissions to those dirs, and can thus install them ?
--
Martin Schlemmer
Gentoo Linux Developer, Desktop Team Developer
Cape Town, South Africa
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] emerge system through sandbox
2001-12-06 4:31 ` Martin Schlemmer
@ 2001-12-06 4:41 ` Geert Bevin
0 siblings, 0 replies; 4+ messages in thread
From: Geert Bevin @ 2001-12-06 4:41 UTC (permalink / raw
To: gentoo-dev
On Thu, 2001-12-06 at 05:31, Martin Schlemmer wrote:
> Isnt it a test by these packages to check if the user have
> write permissions to those dirs, and can thus install them ?
Don't know. Would be nice if someone could investigate or confirm.
--
Geert Bevin
the Leaf sprl/bvba
"Use what you need" Pierre Theunisstraat 1/47
http://www.theleaf.be 1030 Brussels
gbevin@theleaf.be Tel & Fax +32 2 241 19 98
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] emerge system through sandbox
@ 2001-12-06 4:54 Geert Bevin
0 siblings, 0 replies; 4+ messages in thread
From: Geert Bevin @ 2001-12-06 4:54 UTC (permalink / raw
To: gentoo-dev
On Thu, 2001-12-06 at 05:31, Martin Schlemmer wrote:
> Isnt it a test by these packages to check if the user have
> write permissions to those dirs, and can thus install them ?
In fact it's these situations that were the basis for me not to want to
return an error by the sandbox if it detects invalid accesses. The
developer/user should just be notified of the presence. If the installer
of the package doesn't consider it as a fatal error, but simple as a
notification of the state of the system, the merge should simply proceed
imho. I could add something which makes it possible to notify to sandbox
of predicted/expected failures, which in their turn are then not printed
to the regular user.
What do you think of this?
--
Geert Bevin
the Leaf sprl/bvba
"Use what you need" Pierre Theunisstraat 1/47
http://www.theleaf.be 1030 Brussels
gbevin@theleaf.be Tel & Fax +32 2 241 19 98
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-12-06 4:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-12-06 4:18 [gentoo-dev] emerge system through sandbox Geert Bevin
2001-12-06 4:31 ` Martin Schlemmer
2001-12-06 4:41 ` Geert Bevin
-- strict thread matches above, loose matches on Subject: below --
2001-12-06 4:54 Geert Bevin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox