From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 361D2138206 for ; Sat, 20 Jan 2018 01:21:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 87A5CE0A43; Sat, 20 Jan 2018 01:20:55 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 243E8E09CA for ; Sat, 20 Jan 2018 01:20:55 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id AD0CF335C09 for ; Sat, 20 Jan 2018 01:20:53 +0000 (UTC) Subject: Re: [gentoo-dev] rfc: ideas for fixing OpenRC checkpath issue To: gentoo-dev@lists.gentoo.org References: <20180110180443.GA1085@whubbs1.gaikai.biz> <20180110215437.GA3156@whubbs1.gaikai.biz> <731ea2b8-349d-28d4-72a6-3b9555f5bdf7@gentoo.org> <20180117152108.GA9130@linux1.home> <04627c1a-64b7-9370-41d8-ddc79213de5b@gentoo.org> <20180117171416.GA18843@whubbs1.gaikai.biz> <03558fda-26b3-2e3a-ad42-c94848f49955@gentoo.org> <20180120001648.GA24415@linux1.home> <464a4683-8613-1b79-35a1-9e4d53ae36e6@gentoo.org> <20180120011406.GA25389@linux1.home> From: Michael Orlitzky Message-ID: <5597b7ed-1034-af38-4063-b4cb5201e96d@gentoo.org> Date: Fri, 19 Jan 2018 20:20:50 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20180120011406.GA25389@linux1.home> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: a662a971-feb2-44ea-8fe0-f5091800f745 X-Archives-Hash: 6748787928d73c413ed21f3bb1e2d267 On 01/19/2018 08:14 PM, William Hubbs wrote: >> >> Why not? Since /var/lib is root:root and mode 755, we can create >> /var/lib/foo while running --as=root (the default). Then afterwards, >> anything beneath /var/lib/foo would need to be created "--as" the owner >> of that directory. > > That would create an extra level of indirection for some things though, > what if /var/lib/foo needs to be owned by foo? I have /var/lib/dhcp > which is owned by dhcp:dhcp. You can't creat that with --as=dhcp. > The same way you do it now: newpath --directory /var/lib/dhcp --owner dhcp:dhcp There's no new obstacle, because /var/lib is writable only by root and the current OpenRC user (also root, in this case). Now if you need /var/lib/dhcp/something-else to be owned by dhcp:dhcp, *then* you would do it --as=dhcp.