* [gentoo-dev] USE flag "suid" in both use.desc and use.local.desc
@ 2012-12-31 6:44 Walter Dnes
2012-12-31 8:21 ` [gentoo-dev] " Duncan
2012-12-31 17:49 ` [gentoo-dev] " Rick "Zero_Chaos" Farina
0 siblings, 2 replies; 4+ messages in thread
From: Walter Dnes @ 2012-12-31 6:44 UTC (permalink / raw
To: Gentoo Developers
Moving USE flags from local to global status is frequently discussed
here, so this seems to be the right forum to raise the issue...
[d531][waltdnes][~] grep suid /usr/portage/profiles/use.desc
suid - Enable setuid root program, with potential security risks
[d531][waltdnes][~] grep :suid /usr/portage/profiles/use.local.desc
net-analyzer/nagios-plugins:suid - Give root privileges to the ICMP, DHCP and IDE S.M.A.R.T. check binaries. This allows them to ignore the access controls that would disallow the nagios user from running the check.
net-wireless/kismet:suid - Install a setuid root helper binary with limited functionality; this allows running kismet as a normal user, significantly reducing security risks
BTW, I would've appreciated a headsup (news item) on Xorg getting the
"suid" USE flag. I use startx, and I couldn't start X <G>. Fortunately,
that was on my netbook, and I was able to Google the solution on my
desktop machine... http://en.spontex.org/forum/thread/561/1/ I'm
posting a heads up on the user list.
--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-dev] Re: USE flag "suid" in both use.desc and use.local.desc
2012-12-31 6:44 [gentoo-dev] USE flag "suid" in both use.desc and use.local.desc Walter Dnes
@ 2012-12-31 8:21 ` Duncan
2012-12-31 14:47 ` Kevin Chadwick
2012-12-31 17:49 ` [gentoo-dev] " Rick "Zero_Chaos" Farina
1 sibling, 1 reply; 4+ messages in thread
From: Duncan @ 2012-12-31 8:21 UTC (permalink / raw
To: gentoo-dev
Walter Dnes posted on Mon, 31 Dec 2012 01:44:25 -0500 as excerpted:
> Moving USE flags from local to global status is frequently discussed
> here, so this seems to be the right forum to raise the issue...
>
> [d531][waltdnes][~] grep suid /usr/portage/profiles/use.desc
> suid - Enable setuid root program, with potential security risks
>
> [d531][waltdnes][~] grep :suid /usr/portage/profiles/use.local.desc
> [several package hits]
This is now routine. Try it with the "bindist" USE flag (and see the
current thread), for instance.
Promoting a flag to global does mean it gets a global description in
use.desc, but per package descriptions (as now maintained in the per-
package metadata.xml files, but there's a tree maintenance script that
keeps use.local.desc current based on the metadata files, to keep the
tools using it working) continue to be encouraged where they are useful,
as they can often provide much more detailed per-package descriptions of
what the flag actually does in that specific package, than the global
description can.
> BTW, I would've appreciated a headsup (news item) on Xorg getting the
> "suid" USE flag. I use startx, and I couldn't start X <G>.
OTOH, I followed the gentoo recommendation to do a dry run (emerge --
pretend or --ask) and actually LOOK at what's changing in terms of USE
flags, etc, look any of the new ones up I'm not sure on (equery uses
<pkg> in another terminal works), then if necessary, say "no" to the --
ask and make USE flag changes, etc, before going ahead with the "live"
run.
As such, I saw the change (which is even colored differently so it's easy
to pick out), did a quick equery uses xorg-server in a different window
to see what was going on, and decided to go ahead. In my case, I didn't
have USE=suid set at all in make.conf, so the xorg-server ebuild's use-
default to ON was in effect, and I didn't have a problem.
(I was curious, however, as I'd been reading about running X as non-root,
and after seeing that the upgrade did work with the same SUID executable
it had before, I remerged without SUID to try it out, much faster the
second time with ccache and since I wasn't doing other builds at the same
time. THEN I ran into the problem you did, but that was the only change
I made and it was deliberate, so I knew the problem and could immediately
undo it.)
Gentoo isn't a hand-holding distro. The changes were there to be seen in
the recommended emerge --pretend or --ask, and adjusted if needed before
hand, and you chose not to take advantage of that. I guess some people
just have to find out the hard way why such recommendations are there.
Of course, if you prefer a distro that makes such decisions (and takes
responsibility for them accordingly) for you, there's plenty of distros
around that offer more of that than gentoo does. If you don't have the
time or patience to do the dry-runs and check changes before going thru
with them, perhaps one of those would be more appropriate. There's no
shame in deciding that gentoo's simply not an appropriate distro for your
needs, and choosing one of the others instead.
All that said, more documentation and warning wouldn't have hurt, and the
news feature was designed for exactly this sort of thing. Except that
the package maintainer has to think of it, and I guess they didn't in
this case. But it still shouldn't have been a problem as a responsible
admin had plenty of warning already, via the USE flag change itself.
> Fortunately,
> that was on my netbook, and I was able to Google the solution on my
> desktop machine... http://en.spontex.org/forum/thread/561/1/ I'm
> posting a heads up on the user list.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] Re: USE flag "suid" in both use.desc and use.local.desc
2012-12-31 8:21 ` [gentoo-dev] " Duncan
@ 2012-12-31 14:47 ` Kevin Chadwick
0 siblings, 0 replies; 4+ messages in thread
From: Kevin Chadwick @ 2012-12-31 14:47 UTC (permalink / raw
To: gentoo-dev
On Mon, 31 Dec 2012 08:21:10 +0000 (UTC)
Duncan <1i5t5.duncan@cox.net> wrote:
> I was curious, however, as I'd been reading about running X as
> non-root,
I use some hackery to run startx on some systems as a normal user on
linux and without suid. The only important things to me that break on
these systems is hotplugging mice etc. and which could be quite easily
fixed if it was worth the time. I've found a log out triggering a
relaunch good enough with 0 complaints for now.
You might be interested that the default on OpenBSD is for X to run as
the X11 user and xdm to run as root and involves no hackery or issues
but still some root priviledges.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] USE flag "suid" in both use.desc and use.local.desc
2012-12-31 6:44 [gentoo-dev] USE flag "suid" in both use.desc and use.local.desc Walter Dnes
2012-12-31 8:21 ` [gentoo-dev] " Duncan
@ 2012-12-31 17:49 ` Rick "Zero_Chaos" Farina
1 sibling, 0 replies; 4+ messages in thread
From: Rick "Zero_Chaos" Farina @ 2012-12-31 17:49 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/31/2012 01:44 AM, Walter Dnes wrote:
> Moving USE flags from local to global status is frequently discussed
> here, so this seems to be the right forum to raise the issue...
>
> [d531][waltdnes][~] grep suid /usr/portage/profiles/use.desc
> suid - Enable setuid root program, with potential security risks
>
> [d531][waltdnes][~] grep :suid /usr/portage/profiles/use.local.desc
> net-analyzer/nagios-plugins:suid - Give root privileges to the ICMP, DHCP and IDE S.M.A.R.T. check binaries. This allows them to ignore the access controls that would disallow the nagios user from running the check.
> net-wireless/kismet:suid - Install a setuid root helper binary with limited functionality; this allows running kismet as a normal user, significantly reducing security risks
>
Just because it's a global use flag doesn't mean you cannot redefine it
locally to more specifically define the use case in a particular
package. That's clearly what is done for kismet here, I have no desire
to undefine it and make what happens less clear.
- -Zero
> BTW, I would've appreciated a headsup (news item) on Xorg getting the
> "suid" USE flag. I use startx, and I couldn't start X <G>. Fortunately,
> that was on my netbook, and I was able to Google the solution on my
> desktop machine... http://en.spontex.org/forum/thread/561/1/ I'm
> posting a heads up on the user list.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBAgAGBQJQ4dAuAAoJEKXdFCfdEflKJW0P/0uP17fkn9h+3n+OZTi4B74G
wjQmGYZ1+uAKZwluUY/4BUR6l03f+ayqQATzxTQyuNjaf0LwHTVvWHCuC0HlrJM2
77dWCHE7d9SYDM1uUIyxJHFUtD1OOyrUcsC9+biHk2asVnhMhegR8wvS/iqyHxao
TiWUjXGQk12jMrMg6cIs1UPprAutLFuDX+JQFoIPew18bFw6fUQVsIcxn3OwjPzQ
roxDJ+sLmqrs5hZcZ2BhD13o40uZFe75UtshnGBhMseZ/HRCiCy9ABZiPpcQTy8f
9APXR2APt00CT3rjo2I6iGfqHS09ZfNET9VfcoQZ0GlVuzWk9CxMwKC2tLJazmnz
uY3dx/A86ej664mq2WyzTAqUZqcK3nnaENoH/YiNqjI49q3+m98twzD4rusUJG+n
EjGCItcj6uRckV2KBE3dOpuooK8kUNLjAQ1+I4AtX8tZprCwkdgH48UINy19uBB0
hwdyeYFBXVPcuk9bMgB0yxnR62JkS/3Txcn1AyxktbsBsEIGmmJrPAuZMv2LIaDp
U1vp/PC+49GbU4U3IIWXfuvdueQaZsiWhDDUUjRpeQ8dm+IxWfQcyBFHtW+DO17t
nNsMNnpmE4721+sQJDa/l/rbca8UNK39pcmVcGjJ/KzkOr3F8Yj6eV7OWows2jNd
3/OkrdiT/rUUsJy8ZQRs
=E8id
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-12-31 17:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-31 6:44 [gentoo-dev] USE flag "suid" in both use.desc and use.local.desc Walter Dnes
2012-12-31 8:21 ` [gentoo-dev] " Duncan
2012-12-31 14:47 ` Kevin Chadwick
2012-12-31 17:49 ` [gentoo-dev] " Rick "Zero_Chaos" Farina
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox