From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9E1A113877A for ; Tue, 8 Jul 2014 14:17:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 49D0DE086A; Tue, 8 Jul 2014 14:17:10 +0000 (UTC) Received: from a1www.kph.uni-mainz.de (a1www.kph.uni-mainz.de [134.93.134.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2946FE082B for ; Tue, 8 Jul 2014 14:17:08 +0000 (UTC) Received: from a1i15.kph.uni-mainz.de (a1i15.kph.uni-mainz.de [134.93.134.92]) by a1www.kph.uni-mainz.de (8.14.7/8.14.7) with ESMTP id s68EH2Q3022587; Tue, 8 Jul 2014 16:17:03 +0200 Received: from a1i15.kph.uni-mainz.de (localhost [127.0.0.1]) by a1i15.kph.uni-mainz.de (8.14.8/8.14.2) with ESMTP id s68EH2ra000947; Tue, 8 Jul 2014 16:17:02 +0200 Received: (from ulm@localhost) by a1i15.kph.uni-mainz.de (8.14.8/8.14.8/Submit) id s68EH2Ee000943; Tue, 8 Jul 2014 16:17:02 +0200 Message-ID: <21435.64862.617761.35100@a1i15.kph.uni-mainz.de> Date: Tue, 8 Jul 2014 16:17:02 +0200 To: =?iso-8859-2?Q?Micha=B3_G=F3rny?= Cc: , pms-bugs@gentoo.org Subject: [gentoo-dev] Re: Looking for alternative to RESTRICT=userpriv In-Reply-To: <20140708152526.11d11e8b@pomiot.lan> References: <20140708152526.11d11e8b@pomiot.lan> X-Mailer: VM 8.2.0b under 24.3.1 (x86_64-pc-linux-gnu) From: Ulrich Mueller Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="pgp+signed+JIG//iuOuq0QmXW"; micalg=pgp-sha256; protocol="application/pgp-signature" X-Archives-Salt: df901a2f-531f-489b-81cb-dffdd733a221 X-Archives-Hash: 98959fbdc6c536eaca62e933d4994361 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --pgp+signed+JIG//iuOuq0QmXW Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: quoted-printable >>>>> On Tue, 8 Jul 2014, Micha=B3 G=F3rny wrote: > a) explicitly requesting user to alter group membership for the > build user. This is already done in some of the CUDA ebuilds. > [...] This doesn't work out of the box for users, therefore it is not really a solution. > b) SUPPLEMENTARY=5FGROUPS support [2]. The idea is to use setgroups()= > to transparently enable group membership for the build process. > Advantages: > - transparent, relatively simple. > Disadvantages: > - quite ugly name ;), Certainly this can be changed. :) > - doesn't cover other uses of FEATURES=3Duserpriv. Which ones=3F Are there examples for such uses in the Portage tree=3F > c) 'esudo' helper [3]. This is a more generic form of (2), with > support for other potential privilege changes. > [...] > Disadvantages: > - hard to implement -- especially if we want to make it capable of > running bash functions. Any idea how to implement it=3F Does it imply adding app-admin/sudo to the system set=3F > What do you think=3F Do you have other ideas=3F Looking at the bugs that you have filed, it looks like most ebuilds using userpriv restriction could be fixed, without any additional support added to the package manager. How many ebuilds will be left, after doing these fixes=3F Is it really worth the effort then=3F Ulrich --pgp+signed+JIG//iuOuq0QmXW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTu/1dAAoJEMMJBoUcYcJzfcoH/1ZLbxMHdkzEV+rkT40cJpm2 N1HqFsVAnYNdM4pijlJYYq4TUyH2xAQNUaUqEytpGRNEFoqEqiZ4/PkL6RQZe+Sh N1+JnR/rPdFpvttA7Llvf8TbAMFA+zoS+ayK54eu6RqSBCaRFqtWi20CLvlo/vOc 8nA9e3ydAps7uForoIY9tN61F6Hwt5XJt3O1uxbKKNZlhc4EHag+VLuxohu0ZSfM 2BwPvvYsmRKT7f3QksCkigteiFqxCloNAPbMH6XcS/PXxZxSU0pB7lDMxueX3D8S EgvsrGouKalbrVoh/8WzjrX81qvBwgObl8z8xfZR2hyw5mRZt4ZQ6TnE/t0LWQ4= =ULRF -----END PGP SIGNATURE----- --pgp+signed+JIG//iuOuq0QmXW--