[gentoo-dev] Sandbox suggestion

[gentoo-dev] Sandbox suggestion

[Joshua Pollak]

Hi,

Just wondering, but I had a suggestion for the dynamic bash ebuild: Rather 
than replacing the static bash and moving the static bash to /bin/sbash 
(shouldn't that be /sbin/sbash?) anyway, why not just install the new shell 
to /bin/dyn-bash or dbash or something, and make the sandbox scripts call 
everything via that shell?

I'm not sure if that's technically possible or not, but it seemed like it 
would make a lot of things simpler, and reduce the risk of sysadmins messing 
something up.

Re: [gentoo-dev] Sandbox suggestion

[Geert Bevin]

Because then any script that refers to /bin/bash during the installation 
process uses the static bash, while the purpose is this the dynamic bash 
is used. Of course all the scripts could be patched, but then the use of 
the sandbox gets quite a bit devaluated.

Joshua Pollak wrote:

>Hi,
>
>Just wondering, but I had a suggestion for the dynamic bash ebuild: Rather 
>than replacing the static bash and moving the static bash to /bin/sbash 
>(shouldn't that be /sbin/sbash?) anyway, why not just install the new shell 
>to /bin/dyn-bash or dbash or something, and make the sandbox scripts call 
>everything via that shell?
>
>I'm not sure if that's technically possible or not, but it seemed like it 
>would make a lot of things simpler, and reduce the risk of sysadmins messing 
>something up.
>_______________________________________________
>gentoo-dev mailing list
>gentoo-dev@gentoo.org
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>

Re: [gentoo-dev] Sandbox suggestion

[Joshua Pollak]

On Tuesday 11 December 2001 4:05, you wrote:
> Because then any script that refers to /bin/bash during the installation
> process uses the static bash, while the purpose is this the dynamic bash
> is used. Of course all the scripts could be patched, but then the use of
> the sandbox gets quite a bit devaluated.

Fair enough.

>
> Joshua Pollak wrote:
> >Hi,
> >
> >Just wondering, but I had a suggestion for the dynamic bash ebuild: Rather
> >than replacing the static bash and moving the static bash to /bin/sbash
> >(shouldn't that be /sbin/sbash?) anyway, why not just install the new
> > shell to /bin/dyn-bash or dbash or something, and make the sandbox
> > scripts call everything via that shell?
> >
> >I'm not sure if that's technically possible or not, but it seemed like it
> >would make a lot of things simpler, and reduce the risk of sysadmins
> > messing something up.
> >_______________________________________________
> >gentoo-dev mailing list
> >gentoo-dev@gentoo.org
> >http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev

Re: [gentoo-dev] Sandbox suggestion

[Zach Forrest]

What about installing dyn-bash into something like 
/usr/lib/sandbox/bin/bash, and then pre-pending this to $PATH before 
beginning and restoring the original $PATH afterwards?

Zach

Joshua Pollak wrote:

> On Tuesday 11 December 2001 4:05, you wrote:
> 
>>Because then any script that refers to /bin/bash during the installation
>>process uses the static bash, while the purpose is this the dynamic bash
>>is used. Of course all the scripts could be patched, but then the use of
>>the sandbox gets quite a bit devaluated.
>>
> 
> Fair enough.
> 
> 
>>Joshua Pollak wrote:
>>
>>>Hi,
>>>
>>>Just wondering, but I had a suggestion for the dynamic bash ebuild: Rather
>>>than replacing the static bash and moving the static bash to /bin/sbash
>>>(shouldn't that be /sbin/sbash?) anyway, why not just install the new
>>>shell to /bin/dyn-bash or dbash or something, and make the sandbox
>>>scripts call everything via that shell?
>>>
>>>I'm not sure if that's technically possible or not, but it seemed like it
>>>would make a lot of things simpler, and reduce the risk of sysadmins
>>>messing something up.
>>>_______________________________________________
>>>gentoo-dev mailing list
>>>gentoo-dev@gentoo.org
>>>http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>>>
>>_______________________________________________
>>gentoo-dev mailing list
>>gentoo-dev@gentoo.org
>>http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>>
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
> 
> 

Re: [gentoo-dev] Sandbox suggestion

[Geert Bevin]

most scripts refer to bash like this

#!/bin/bash

putting another one in the path doesn't work around this at all

On Tue, 2001-12-11 at 19:04, Zach Forrest wrote:
> What about installing dyn-bash into something like 
> /usr/lib/sandbox/bin/bash, and then pre-pending this to $PATH before 
> beginning and restoring the original $PATH afterwards?
-- 
Geert Bevin
the Leaf sprl/bvba
"Use what you need"           Pierre Theunisstraat 1/47
http://www.theleaf.be         1030 Brussels
gbevin@theleaf.be             Tel & Fax +32 2 241 19 98

Re: [gentoo-dev] Sandbox suggestion

[Joshua Pollak]

On Tuesday 11 December 2001 1:23, you wrote:
> most scripts refer to bash like this
>
> #!/bin/bash
>
> putting another one in the path doesn't work around this at all

Perhaps gentoo policy could be to make ebuilds reference:

#!/bin/ebuild-bash

which by default would be a sym-link to bash, but on a sandbox system would 
have the dynamic bash in place?

I don't know how much of an issue using the wrong shell is, I don't know how 
often people will encounter problems, but I do know that when bash got 
version skewed (or something) on my Debian system, it was a nightmare.

Re: [gentoo-dev] Sandbox suggestion

[Geert Bevin]

>
>
>Perhaps gentoo policy could be to make ebuilds reference:
>
>#!/bin/ebuild-bash
>
>which by default would be a sym-link to bash, but on a sandbox system would 
>have the dynamic bash in place?
>
The problem is not the ebuilds, it's the shell scripts that are 
distributed along with source packages.

>I don't know how much of an issue using the wrong shell is, I don't know how 
>often people will encounter problems, but I do know that when bash got 
>version skewed (or something) on my Debian system, it was a nightmare.
>
Having a dynamic bash is not really a problem, most distributions do it. 
The only problem is cleanly updating glic, ncurses, readline libraries 
without segfaulting the dyn bash. It's on my todo to find a solution for 
this, but currently I'm living with a half crashed hd at home and 
awaiting the replacement before I can really resume the development.

Re: [gentoo-dev] Sandbox suggestion

[Zach Forrest]

> which by default would be a sym-link to bash, but on a sandbox system would 
> have the dynamic bash in place?


Another (rough) idea, would be to install bash to /bin/sbash and 
dyn-bash to /bin/dbash. /bin/bash would then be an executable script. 
When installing a package, sandbox sets $DYNBASH to something, telling 
the script to use dbash. When done, simply unset $DYNBASH, and, like 
magic, the script then calls sbash. Feedback?

Re: [gentoo-dev] Sandbox suggestion

[Daniel Robbins]

On Tue, Dec 11, 2001 at 02:21:12PM -0500, Joshua Pollak wrote:
> On Tuesday 11 December 2001 1:23, you wrote:
> > most scripts refer to bash like this
> >
> > #!/bin/bash
> >
> > putting another one in the path doesn't work around this at all
> 
> Perhaps gentoo policy could be to make ebuilds reference:
> 
> #!/bin/ebuild-bash

Hi, 

We really don't need to be discussing this issue; sandboxing is only
for testing at the moment, and when it is integrated into Portage, 
we'll take care of resolving these issues.

Best Regards,

-- 
Daniel Robbins                                  <drobbins@gentoo.org>
Chief Architect/President                       http://www.gentoo.org 
Gentoo Technologies, Inc.

Re: [gentoo-dev] Sandbox suggestion

[Zach Forrest]

Where is the best place to discuss testing type issues?

Daniel Robbins wrote:

> On Tue, Dec 11, 2001 at 02:21:12PM -0500, Joshua Pollak wrote:
> 
>>On Tuesday 11 December 2001 1:23, you wrote:
>>
>>>most scripts refer to bash like this
>>>
>>>#!/bin/bash
>>>
>>>putting another one in the path doesn't work around this at all
>>>
>>Perhaps gentoo policy could be to make ebuilds reference:
>>
>>#!/bin/ebuild-bash
>>
> 
> Hi, 
> 
> We really don't need to be discussing this issue; sandboxing is only
> for testing at the moment, and when it is integrated into Portage, 
> we'll take care of resolving these issues.
> 
> Best Regards,
> 
> 

Re: [gentoo-dev] Sandbox suggestion

[Daniel Robbins]

On Tue, Dec 11, 2001 at 12:16:35PM -0800, Zach Forrest wrote:
> Where is the best place to discuss testing type issues?

> >>Perhaps gentoo policy could be to make ebuilds reference:
> >>
> >>#!/bin/ebuild-bash

What you are suggesting is not a "testing type" issue.  If you'd like to
discuss the current implementation of path sandboxing, this is the place.  But
we will handle the integration of sandboxing into Gentoo Linux proper,
including all the sub-issues that this raises.

Best Regards,

-- 
Daniel Robbins                                  <drobbins@gentoo.org>
Chief Architect/President                       http://www.gentoo.org 
Gentoo Technologies, Inc.