[gentoo-dev] Overriding the sandbox, or ...

[gentoo-dev] Overriding the sandbox, or ...

[monkey]

[-- Attachment #1: Type: text/plain, Size: 1356 bytes --]

... how can I get something installed in /usr/sbin? This will probably
open up a can of worms, but here I go. I want to change the ebuild for
iptables-1.2.6a to install with the prefix "/usr". Why, well I feel that
it is more FHS-compliant since the reasoning in the ebuild states that
things were moved back to /sbin and /lib to help people with netmounted
/usr systems get things working properly. I take exception to that on two
points: one, iptables is firewalling code and nothing more, and two, no
firewall should have netmounted systems. The FHS recommends keeping / as
free of things as possible. Only applications needed to repair filesystems
and get simple communication going are recommended for install in /. Since
no firewall should have any netmounted filesystems, I don't see the
validity in the argument for moving everything into /sbin and /lib.
However, changing the ebuild to fix this results in a "sandbox violation"
and the emerge fails. So, how can I bypass the sandbox for my iptables
install? This is not a swipe at the maintainer, I just have a different 
opinion of where I want my userspace firewall code to live. Thanks for any 
pointers.

geoffrey
-- 
+++++++++++++++++++++++++++++++++++
Santa Claus,
the Tooth Fairy,
Windows 2000 ...
Some things you just outgrow.
+++++++++++++++++++++++++++++++++++

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Overriding the sandbox, or ...

[Chad M. Huneycutt]

monkey wrote:
> ... how can I get something installed in /usr/sbin? This will probably
> open up a can of worms, but here I go. I want to change the ebuild for
> iptables-1.2.6a to install with the prefix "/usr". Why, well I feel that
> it is more FHS-compliant since the reasoning in the ebuild states that
> things were moved back to /sbin and /lib to help people with netmounted
> /usr systems get things working properly. I take exception to that on two
> points: one, iptables is firewalling code and nothing more, and two, no
> firewall should have netmounted systems. The FHS recommends keeping / as
> free of things as possible. Only applications needed to repair filesystems
> and get simple communication going are recommended for install in /. Since
> no firewall should have any netmounted filesystems, I don't see the
> validity in the argument for moving everything into /sbin and /lib.
> However, changing the ebuild to fix this results in a "sandbox violation"
> and the emerge fails. So, how can I bypass the sandbox for my iptables
> install? This is not a swipe at the maintainer, I just have a different 
> opinion of where I want my userspace firewall code to live. Thanks for any 
> pointers.

I don't understand.  Why can't you just change whatever it is in the 
iptables ebuild that specifies prefix=/ to prefix=/usr ? (this may require 
changing more than just the ./configure stuff).  You didn't say exactly 
what you are trying to do to effect this, but it must be wrong.  You will 
only get sandbox violations if you try to install stuff outside the sandbox 
before the merge stage, and that is always wrong (unless you have a darn 
good reason).  Remember that first the iptables stuff will be installed to 
${D}/usr/sbin and ${D}/usr/lib, and then will be merged into the real file 
system.

Chad (chadh@gentoo.org)

Re: [gentoo-dev] Overriding the sandbox, or ...

[monkey]

[-- Attachment #1: Type: text/plain, Size: 1377 bytes --]

On Wed, Apr 17, 2002 at 06:09:38PM -0400, thus spake Chad M. Huneycutt:

> I don't understand.  Why can't you just change whatever it is in the 
> iptables ebuild that specifies prefix=/ to prefix=/usr ? (this may require 
> changing more than just the ./configure stuff).  You didn't say exactly 
> what you are trying to do to effect this, but it must be wrong.  You will 
> only get sandbox violations if you try to install stuff outside the sandbox 
> before the merge stage, and that is always wrong (unless you have a darn 
> good reason).  Remember that first the iptables stuff will be installed to 
> ${D}/usr/sbin and ${D}/usr/lib, and then will be merged into the real file 
> system.

Yeah, I haven't studied enough to understand what the ${D} variable 
denotes. I did change the sed segment in the ebuild to change the Makefile 
from / to /usr, but when it tried to doinst is when I get the sandbox 
screaming about trying to write outside of ${D} in /usr/sbin. So, I 
suppose I just have a bit more reading to do. I don't want to override the 
sandbox ... just understan dhow it works and dig up where my ebuild mods 
are missing the needed changes. Thanks for the reply.

geoffrey
-- 
+++++++++++++++++++++++++++++++++++
Santa Claus,
the Tooth Fairy,
Windows 2000 ...
Some things you just outgrow.
+++++++++++++++++++++++++++++++++++

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Overriding the sandbox, or ...

[Vitaly Kushneriuk]

On Thu, 2002-04-18 at 00:44, monkey wrote:
> ... how can I get something installed in /usr/sbin? This will probably
> open up a can of worms, but here I go. I want to change the ebuild for
> iptables-1.2.6a to install with the prefix "/usr". Why, well I feel that
> it is more FHS-compliant since the reasoning in the ebuild states that
> things were moved back to /sbin and /lib to help people with netmounted
> /usr systems get things working properly. I take exception to that on two
> points: one, iptables is firewalling code and nothing more, and two, no
> firewall should have netmounted systems. The FHS recommends keeping / as
> free of things as possible. Only applications needed to repair filesystems
> and get simple communication going are recommended for install in /. Since
> no firewall should have any netmounted filesystems, I don't see the
> validity in the argument for moving everything into /sbin and /lib.
> However, changing the ebuild to fix this results in a "sandbox violation"
> and the emerge fails. So, how can I bypass the sandbox for my iptables
> install? This is not a swipe at the maintainer, I just have a different 
> opinion of where I want my userspace firewall code to live. Thanks for any 
> pointers.
> 
> geoffrey

Now that's silly. You say that system that uses NFS does not need a
firewall? Wow ;). While iptables is a firewalling code it is not for a
"pure firewall" systems only. Pretty much every system should install at
least basic firewall, unless it's in a highly secure and trusted
environment with a good external firewall. And firewall should be
installed _before_ network comes up, so that there's no potential
opportunity window for an attack. That's why it should go to /sbin.
And this _is_ FHS compliant.

	/Vitaly.

Re: [gentoo-dev] Overriding the sandbox, or ...

[monkey]

[-- Attachment #1: Type: text/plain, Size: 1642 bytes --]

On Thu, Apr 18, 2002 at 02:43:09PM +0300, thus spake Vitaly Kushneriuk:

> Now that's silly. You say that system that uses NFS does not need a
> firewall? Wow ;). 

NO!!!! You missed the point. I said that no firewall (itself) should use
netmounted filesystems!

> While iptables is a firewalling code it is not for a
> "pure firewall" systems only. Pretty much every system should install at
> least basic firewall, unless it's in a highly secure and trusted
> environment with a good external firewall. And firewall should be
> installed _before_ network comes up, so that there's no potential
> opportunity window for an attack. That's why it should go to /sbin.
> And this _is_ FHS compliant.

Point about FHS compliance taken. I still don't think that the
rationalization for the installdir move is valid, but that is another
matter entirely and not relevant to anyone but me. This has really turned
into more of an academic study as to why I am unable to modify the ebuild
to relocate the installation directories more than anything else at this
point. I didn't mean to irritate anybody, just wondered why it was so, and
how I could change things more to my taste. Thanks for the replies. Is
there any documentation that will explain the sandbox feature and how it
is defined in my ebuild. I have done a very simple ebuild, and I still get
sandbox violations. Where is the ${D} variable defined/set? Thanks again 
for any help/pointers.

geoffrey
-- 
+++++++++++++++++++++++++++++++++++
Santa Claus,
the Tooth Fairy,
Windows 2000 ...
Some things you just outgrow.
+++++++++++++++++++++++++++++++++++

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Overriding the sandbox, or ...

[Jared H. Hudson]

If you want to overide sandbox you can do it one of two ways:

1) Overide it in portage by editing your /etc/make.conf file and adding 
a line of FEATURES="" at the bottom.

2) Overide it for this package/path. Edit your version of the iptables 
ebuild with a statement of addwrite "/usr/sbin"

BUT, installing something in a different location other than /usr should 
not spark a sandbox error. Sandbox is only concerned with a compilation 
writing things outside the temporary image area.

You have to understand that when you ebuild is built it goes through 
these main steps: (there's technically more, but these are the most 
important)

unpack - tarballs are unpacked into /var/tmp/portage/ebuild_name/work
compile - ./configure and make are run -- this is where sandbox is most
           important and should not find an error
install - make install is run with paths to install to
           /var/tmp/portage/ebuild_name/image
merge - files from /var/tmp/portage/ebuild_name/image are "merged" with 
/ (or whatever $ROOT is set to)

So, to answer your question ${D} is /var/tmp/portage/ebuild_name/image/

-Jared H.

monkey wrote:
> On Thu, Apr 18, 2002 at 02:43:09PM +0300, thus spake Vitaly Kushneriuk:
> 
> 
>>Now that's silly. You say that system that uses NFS does not need a
>>firewall? Wow ;). 
> 
> 
> NO!!!! You missed the point. I said that no firewall (itself) should use
> netmounted filesystems!
> 
> 
>>While iptables is a firewalling code it is not for a
>>"pure firewall" systems only. Pretty much every system should install at
>>least basic firewall, unless it's in a highly secure and trusted
>>environment with a good external firewall. And firewall should be
>>installed _before_ network comes up, so that there's no potential
>>opportunity window for an attack. That's why it should go to /sbin.
>>And this _is_ FHS compliant.
> 
> 
> Point about FHS compliance taken. I still don't think that the
> rationalization for the installdir move is valid, but that is another
> matter entirely and not relevant to anyone but me. This has really turned
> into more of an academic study as to why I am unable to modify the ebuild
> to relocate the installation directories more than anything else at this
> point. I didn't mean to irritate anybody, just wondered why it was so, and
> how I could change things more to my taste. Thanks for the replies. Is
> there any documentation that will explain the sandbox feature and how it
> is defined in my ebuild. I have done a very simple ebuild, and I still get
> sandbox violations. Where is the ${D} variable defined/set? Thanks again 
> for any help/pointers.
> 
> geoffrey

Re: [gentoo-dev] Overriding the sandbox, or ...

[monkey]

[-- Attachment #1: Type: text/plain, Size: 397 bytes --]

On Thu, Apr 18, 2002 at 02:11:36PM -0500, thus spake Jared H. Hudson:

> So, to answer your question ${D} is /var/tmp/portage/ebuild_name/image/

Thanks. Is this stuff documented somewhere, and I simply overlooked it?

geoffrey
-- 
+++++++++++++++++++++++++++++++++++
Santa Claus,
the Tooth Fairy,
Windows 2000 ...
Some things you just outgrow.
+++++++++++++++++++++++++++++++++++


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Overriding the sandbox, or ...

[Jared H. Hudson]

A good deal of it is documented at:
http://www.gentoo.org/doc/gentoo-howto.html

But in the case of ${D} I first searched for it via grep
grep -r -i '${d}' /usr/portage/*

Then once I found an example of another ebuild using it I looked at how 
it used is and combined with what I said below about how the install 
section works, it made sense that it was /var/tmp/portage/....ect

To test this belief, I created a small ebuild with 1 line in it

test-1.0.ebuild
---------------
echo ${D}
---------------

Then ran ebuild test-1.0.ebuild clean

And it prints /var/tmp/portage/test-1.0/image/ so my belief was correct.

-Jared H.

monkey wrote:
> On Thu, Apr 18, 2002 at 02:11:36PM -0500, thus spake Jared H. Hudson:
> 
> 
>>So, to answer your question ${D} is /var/tmp/portage/ebuild_name/image/
> 
> 
> Thanks. Is this stuff documented somewhere, and I simply overlooked it?
> 
> geoffrey

Re: [gentoo-dev] Overriding the sandbox, or ...

[Tod M. Neidt]

On Thu, 2002-04-18 at 14:21, monkey wrote:
> On Thu, Apr 18, 2002 at 02:11:36PM -0500, thus spake Jared H. Hudson:
> 
> > So, to answer your question ${D} is /var/tmp/portage/ebuild_name/image/
> 
> Thanks. Is this stuff documented somewhere, and I simply overlooked it?
> 
Hi!

See 'man 5 ebuild', although note that the example ebuild script is
dated regarding syntax, see /usr/portage/skel.ebuild for an up to date
example.

Regards,

tod

Re: [gentoo-dev] Overriding the sandbox, or ...

[Matthew Kennedy]

Other issues asside, generally it's better to modify the build process
than to disable the sandbox. This might involve reading through Makefile
or Makefile.in for the software in question.

On Wed, 2002-04-17 at 16:44, monkey wrote:
> ... how can I get something installed in /usr/sbin? This will probably
> open up a can of worms, but here I go. I want to change the ebuild for
> iptables-1.2.6a to install with the prefix "/usr". Why, well I feel that

-- 
Matthew Kennedy
Gentoo Linux Developer

Re: [gentoo-dev] Overriding the sandbox, or ...

[monkey]

[-- Attachment #1: Type: text/plain, Size: 986 bytes --]

On Fri, Apr 19, 2002 at 12:29:08AM -0500, thus spake Matthew Kennedy:
> Other issues asside, generally it's better to modify the build process
> than to disable the sandbox. This might involve reading through Makefile
> or Makefile.in for the software in question.

First of all, thanks to all who replied to my original question, thanks 
again for all the pointers to documentation and appropriate manpages, and 
thanks for the generated discussion. Through all of this I was able to 
determine that my sandbox issue had to do with the fact that I had not 
included ${D} in front of all of my entries in the "make install" process. 
Once that was done, all went smoothly. Thanks once again for all of the 
help! Now it's oin to trying to get dsniff and fragroute ebuilds done. 
Anybody want to help?

geoffrey
-- 
+++++++++++++++++++++++++++++++++++
Santa Claus,
the Tooth Fairy,
Windows 2000 ...
Some things you just outgrow.
+++++++++++++++++++++++++++++++++++

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]