[gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
@ 2009-12-11 20:11 Zac Medico
  2009-12-11 21:58 ` justin
  2009-12-11 22:46 ` [gentoo-dev] " Peter Hjalmarsson
  0 siblings, 2 replies; 6+ messages in thread
From: Zac Medico @ 2009-12-11 20:11 UTC (permalink / raw
  To: Gentoo Dev

Should we enable FEATURES=userpriv by default? If we do that then do
we also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv
should not be supported on the grounds that it is never justified?
What about prefix support (in EAPI 3), which often doesn't have root
privileges?
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
  2009-12-11 20:11 [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3? Zac Medico
@ 2009-12-11 21:58 ` justin
  2009-12-11 22:06   ` Zac Medico
  2009-12-11 22:46 ` [gentoo-dev] " Peter Hjalmarsson
  1 sibling, 1 reply; 6+ messages in thread
From: justin @ 2009-12-11 21:58 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 471 bytes --]

On 11/12/09 21:11, Zac Medico wrote:
> Should we enable FEATURES=userpriv by default? If we do that then do
> we also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv
> should not be supported on the grounds that it is never justified?
> What about prefix support (in EAPI 3), which often doesn't have root
> privileges?

FEATURES=userpriv has problems with distcc. I think it is only when used
in combination with pump mode but there I am not sure.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
  2009-12-11 21:58 ` justin
@ 2009-12-11 22:06   ` Zac Medico
  2009-12-12  1:31     ` Justin Lecher
  0 siblings, 1 reply; 6+ messages in thread
From: Zac Medico @ 2009-12-11 22:06 UTC (permalink / raw
  To: gentoo-dev

justin wrote:
> FEATURES=userpriv has problems with distcc. I think it is only when used
> in combination with pump mode but there I am not sure.

That can be fixed, right? How about after it's fixed?
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
  2009-12-11 22:06   ` Zac Medico
@ 2009-12-12  1:31     ` Justin Lecher
  0 siblings, 0 replies; 6+ messages in thread
From: Justin Lecher @ 2009-12-12  1:31 UTC (permalink / raw
  To: gentoo-dev

Zac Medico wrote:
> That can be fixed, right?

I don't know. I seems that the process cannot get the socket as user:

distcc[16297] ERROR: failed to connect to UNIX-DOMAIN /tmp/distcc-pump.HyIaX8/socket: Permission denied
distcc[16297] (dcc_build_somewhere) Warning: failed to get includes from include server, preprocessing locally

But this is the only problem I ever had with it.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-dev]  Re: [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
  2009-12-11 20:11 [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3? Zac Medico
  2009-12-11 21:58 ` justin
@ 2009-12-11 22:46 ` Peter Hjalmarsson
  2009-12-12  1:03   ` Duncan
  1 sibling, 1 reply; 6+ messages in thread
From: Peter Hjalmarsson @ 2009-12-11 22:46 UTC (permalink / raw
  To: gentoo-dev

fre 2009-12-11 klockan 12:11 -0800 skrev Zac Medico:
> Should we enable FEATURES=userpriv by default? If we do that then do
> we also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv
> should not be supported on the grounds that it is never justified?
> What about prefix support (in EAPI 3), which often doesn't have root
> privileges?

That would be problematic for hardened, as they set the permission
for /usr/src/* to root only.





^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-dev]  Re: [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
  2009-12-11 22:46 ` [gentoo-dev] " Peter Hjalmarsson
@ 2009-12-12  1:03   ` Duncan
  0 siblings, 0 replies; 6+ messages in thread
From: Duncan @ 2009-12-12  1:03 UTC (permalink / raw
  To: gentoo-dev

Peter Hjalmarsson posted on Fri, 11 Dec 2009 23:46:07 +0100 as excerpted:

> fre 2009-12-11 klockan 12:11 -0800 skrev Zac Medico:
>> Should we enable FEATURES=userpriv by default? If we do that then do we
>> also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv should
>> not be supported on the grounds that it is never justified? What about
>> prefix support (in EAPI 3), which often doesn't have root privileges?
> 
> That would be problematic for hardened, as they set the permission for
> /usr/src/* to root only.

Wouldn't setting it as its own user, say kernelcomp, and su/sudoing to 
that before dealing with the kernel sources, be better?  Kernel docs have 
long said don't compile sources as root, tho obviously for installing 
them you normally need to be root.

FWIW, my (non-gentoo-related) kernel scripts use a non-root user, tho 
it's my normal admin user (not my user user) that has blanket sudo 
without password permission, but it could be a dedicated one just as 
easily.  I'd expect hardened to be even more particular about compiling 
as root, tho I see why general access isn't allowed.  But dedicated user 
seems good.

Even if that's done, however, it'll take some time to update and test.  
But it could be made the default before that, and hardened could set its 
own default elsewise.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2009-12-12  2:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-11 20:11 [gentoo-dev] [RFC] Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3? Zac Medico
2009-12-11 21:58 ` justin
2009-12-11 22:06   ` Zac Medico
2009-12-12  1:31     ` Justin Lecher
2009-12-11 22:46 ` [gentoo-dev] " Peter Hjalmarsson
2009-12-12  1:03   ` Duncan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox