public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] emerge system through sandbox
@ 2001-12-06  4:18 Geert Bevin
  2001-12-06  4:31 ` Martin Schlemmer
  0 siblings, 1 reply; 4+ messages in thread
From: Geert Bevin @ 2001-12-06  4:18 UTC (permalink / raw
  To: gentoo-dev

Hi,

I performed an entire 'emerge system' on a freshly installed machine
with the sandbox installed beforehand. This made it possible to check
all system packages for accedental writes outside the allowed dirs.
Below is the list of packages that failed and the details :

fileutils
mkdir:     /usr/tmp/cf19190
mkdir:     /usr/lib/cf19190

findutils
mkdir:     /var/spool/locate

gpm
mkdir:     /etc/gpm

ncurses
open_wr:   /usr/tmp/conftest9012345
open_wr:   /usr/tmp/conftest9012346

patch
open_wr:   /usr/tmp/conftest9012345
open_wr:   /usr/tmp/conftest9012346

pwdb
open_wr:   /usr/portage/sys-libs/pwdb/files/.

sh-utils
mkdir:     /usr/tmp/cf8115
mkdir:     /usr/lib/cf8115

tar
open_wr:   /usr/tmp/conftest9012345
open_wr:   /usr/tmp/conftest9012346

textutils
mkdir:     /usr/tmp/cf27156
mkdir:     /usr/lib/cf27156

Out of this I conclude that it might be a good idea to open up
'/usr/tmp' for writing too. Anyway, it's linked to /var/tmp and ormally
the dirs that are created in /usr/tmp by these packages are deleted
immediately afterwards.

I'm currently building an entire gnome desktop through the sandbox.
There's already one problem which I've discussed with Hallski. Quite
some packages need to write to '/var/log/scrollkeeper.log' during their
installation. Hallski is going to investigate how this could be helped,
but in the meantime I've opened up my local sadbox for this file
temporarely.

Best regards,

Geert

-- 
Geert Bevin
the Leaf sprl/bvba
"Use what you need"           Pierre Theunisstraat 1/47
http://www.theleaf.be         1030 Brussels
gbevin@theleaf.be             Tel & Fax +32 2 241 19 98



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] emerge system through sandbox
  2001-12-06  4:18 [gentoo-dev] emerge system through sandbox Geert Bevin
@ 2001-12-06  4:31 ` Martin Schlemmer
  2001-12-06  4:41   ` Geert Bevin
  0 siblings, 1 reply; 4+ messages in thread
From: Martin Schlemmer @ 2001-12-06  4:31 UTC (permalink / raw
  To: Gentoo-Dev

[-- Attachment #1: Type: text/plain, Size: 571 bytes --]

On Thu, 2001-12-06 at 06:18, Geert Bevin wrote:
> Hi,
> 
> I performed an entire 'emerge system' on a freshly installed machine
> with the sandbox installed beforehand. This made it possible to check
> all system packages for accedental writes outside the allowed dirs.
> Below is the list of packages that failed and the details :
> 

Isnt it a test by these packages to check if the user have
write permissions to those dirs, and can thus install them ?


-- 

Martin Schlemmer
Gentoo Linux Developer, Desktop Team Developer
Cape Town, South Africa


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] emerge system through sandbox
  2001-12-06  4:31 ` Martin Schlemmer
@ 2001-12-06  4:41   ` Geert Bevin
  0 siblings, 0 replies; 4+ messages in thread
From: Geert Bevin @ 2001-12-06  4:41 UTC (permalink / raw
  To: gentoo-dev

On Thu, 2001-12-06 at 05:31, Martin Schlemmer wrote:
> Isnt it a test by these packages to check if the user have
> write permissions to those dirs, and can thus install them ?

Don't know. Would be nice if someone could investigate or confirm.

-- 
Geert Bevin
the Leaf sprl/bvba
"Use what you need"           Pierre Theunisstraat 1/47
http://www.theleaf.be         1030 Brussels
gbevin@theleaf.be             Tel & Fax +32 2 241 19 98



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] emerge system through sandbox
@ 2001-12-06  4:54 Geert Bevin
  0 siblings, 0 replies; 4+ messages in thread
From: Geert Bevin @ 2001-12-06  4:54 UTC (permalink / raw
  To: gentoo-dev

On Thu, 2001-12-06 at 05:31, Martin Schlemmer wrote:
> Isnt it a test by these packages to check if the user have
> write permissions to those dirs, and can thus install them ?

In fact it's these situations that were the basis for me not to want to
return an error by the sandbox if it detects invalid accesses. The
developer/user should just be notified of the presence. If the installer
of the package doesn't consider it as a fatal error, but simple as a
notification of the state of the system, the merge should simply proceed
imho. I could add something which makes it possible to notify to sandbox
of predicted/expected failures, which in their turn are then not printed
to the regular user.

What do you think of this?

-- 
Geert Bevin
the Leaf sprl/bvba
"Use what you need"           Pierre Theunisstraat 1/47
http://www.theleaf.be         1030 Brussels
gbevin@theleaf.be             Tel & Fax +32 2 241 19 98



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2001-12-06  4:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-12-06  4:18 [gentoo-dev] emerge system through sandbox Geert Bevin
2001-12-06  4:31 ` Martin Schlemmer
2001-12-06  4:41   ` Geert Bevin
  -- strict thread matches above, loose matches on Subject: below --
2001-12-06  4:54 Geert Bevin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox