[gentoo-server] Virtual ssh users

[gentoo-server] Virtual ssh users

[Yogesh Sharma]

Hi,

Can someone point me to documentation for creating chrooted virtual ssh
only users.

Thanks
YS

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Jeremy Brake]

Me too please. :)

Yogesh Sharma wrote:

>Hi,
>
>Can someone point me to documentation for creating chrooted virtual ssh
>only users.
>
>Thanks
>YS
>
>  
>

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Ben Munat]

This is in portage and I've used it a bit... pretty straightforward.

http://www.jmcresearch.com/projects/jail/

Just remember that *everything* needed by the user has to be in the jail... if you use any 
executable (apache, php, mysql, etc.) outside the jail, it is no longer secure.

b


Yogesh Sharma wrote:
> Hi,
> 
> Can someone point me to documentation for creating chrooted virtual ssh
> only users.
> 
> Thanks
> YS
> 
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[ysharma]

Hi,

I am trying to addjailuser with following syntax

addjailuser /home/chroot/jail /home/testys /bin/bash testys

and I am getting error:

addjailuser
A component of Jail (version 1.9 for linux)
http://www.gsyc.inf.uc3m.es/~assman/jail/
Juan M. Casillas <assman@gsyc.inf.uc3m.es>

Adding user testys in chrooted environment /home/chroot/jail
        Error: Can't add the user.
Done.

I already created jail env and added sw also

Any idea ?

Thanks
YS

> This is in portage and I've used it a bit... pretty straightforward.
>
> http://www.jmcresearch.com/projects/jail/
>
> Just remember that *everything* needed by the user has to be in the
> jail... if you use any
> executable (apache, php, mysql, etc.) outside the jail, it is no longer
> secure.
>
> b
>
>
> Yogesh Sharma wrote:
>> Hi,
>>
>> Can someone point me to documentation for creating chrooted virtual ssh
>> only users.
>>
>> Thanks
>> YS
>>
> --
> gentoo-server@gentoo.org mailing list
>
>


-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Ben Munat]

Hmm, I haven't messed with jail in a while... Well, did you add the jailed user to the 
regular system with useradd? In other words, there are two steps to adding a jailed user: 
add the user to the regular system with useradd and a shell of /usr/bin/jail and then add 
the user to jail with addjailuser and a shell of /bin/bash. Oh, and the /usr/bin/jail 
shell needs to be in /etc/shells.

If that doesn't help, look around on the jail website and try the mailing list.

good luck,

Ben



ysharma@catprosystems.com wrote:
> Hi,
> 
> I am trying to addjailuser with following syntax
> 
> addjailuser /home/chroot/jail /home/testys /bin/bash testys
> 
> and I am getting error:
> 
> addjailuser
> A component of Jail (version 1.9 for linux)
> http://www.gsyc.inf.uc3m.es/~assman/jail/
> Juan M. Casillas <assman@gsyc.inf.uc3m.es>
> 
> Adding user testys in chrooted environment /home/chroot/jail
>         Error: Can't add the user.
> Done.
> 
> I already created jail env and added sw also
> 
> Any idea ?
> 
> Thanks
> YS
> 
> 
>>This is in portage and I've used it a bit... pretty straightforward.
>>
>>http://www.jmcresearch.com/projects/jail/
>>
>>Just remember that *everything* needed by the user has to be in the
>>jail... if you use any
>>executable (apache, php, mysql, etc.) outside the jail, it is no longer
>>secure.
>>
>>b
>>
>>
>>Yogesh Sharma wrote:
>>
>>>Hi,
>>>
>>>Can someone point me to documentation for creating chrooted virtual ssh
>>>only users.
>>>
>>>Thanks
>>>YS
>>>
>>
>>--
>>gentoo-server@gentoo.org mailing list
>>
>>
> 
> 
> 
-- 
gentoo-server@gentoo.org mailing list

[gentoo-server] prioritising security updates

[Jeremy Brake]

Hey,

Is there anything in Portage which will allow me to view security 
updates, seperate from general version updates?
At the moment i have a 5am cron job which runs "emerge --sync && emerge 
-upvD world" , and i just glance at it as soon as I i sit down at my pc 
for the day.
The problem here is that I cant tell if updates (eg, at the moment it 
wants to update openssh and apache2) are security patches, or just 
general version upgrades.

I know i can use "system" instead of "world" and omit the -D option, but 
thats not targeting my issue exactly. Is there a way to see which 
updates are security patches, without having to manually trawl through 
webpages and changelogs?

Jeremy
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Paul Kölle]

Jeremy Brake wrote:
> Hey,
> 
> Is there anything in Portage which will allow me to view security
> updates, seperate from general version updates?

emerge gentoolkit && glsa-check -l all

hth
 Paul
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Michael Irey]

To make it easy I have added these 2 lines to my crontab

10 2 * * * /usr/bin/emerge --sync 2> /dev/null 
> /root/tmp/daily-emerge-sync.txt
50 2 * * * /usr/bin/glsa-check -ln 2> /dev/null | grep ' \[N\]'

Then every morning I get an email if there are packages with vulnerabilities.

I can decide manually the priority.  Because I dont want apache updating 
itself in the middle of the night... I do it manually, from my emailed list.


On Tuesday 06 September 2005 02:53 pm, Jeremy Brake wrote:
> Hey,
>
> Is there anything in Portage which will allow me to view security
> updates, seperate from general version updates?
> At the moment i have a 5am cron job which runs "emerge --sync && emerge
> -upvD world" , and i just glance at it as soon as I i sit down at my pc
> for the day.
> The problem here is that I cant tell if updates (eg, at the moment it
> wants to update openssh and apache2) are security patches, or just
> general version upgrades.
>
> I know i can use "system" instead of "world" and omit the -D option, but
> thats not targeting my issue exactly. Is there a way to see which
> updates are security patches, without having to manually trawl through
> webpages and changelogs?
>
> Jeremy
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[W.Kenworthy]

or to reduce bandwidth try this as the crontab command:

rsync --recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
rsync://rsync.gentoo.org/gentoo-portage/metadata/glsa/* /usr/portage/metadata/glsa/ ;glsa-check -n -l|grep "\[N"

This syncs only the glsa metadata, and the cron email also shows updates
that it has synced, but do not apply to your system.  However, when you
do a glsa -f package to apply the fix, you must first "emerge sync" to
update the full tree.  As glsa's that affect my systems are few and far
between, there's quite a bandwidth saving.

e.g.,

___________________
...
 
MOTD brought to you by motd-o-matic, version 0.3

receiving file list ... done
glsa-200509-03.xml
timestamp.chk

Number of files: 539
Number of files transferred: 2
Total file size: 1406439 bytes
Total transferred file size: 2153 bytes
Literal data: 2153 bytes
Matched data: 0 bytes
File list size: 8682
Total bytes written: 199
Total bytes read: 11353

wrote 199 bytes  read 11353 bytes  2100.36 bytes/sec
total size is 1406439  speedup is 121.75
WARNING: This tool is completely new and not very tested, so it should
not be
used on production systems. It's mainly a test tool for the new GLSA
release
and distribution system, it's functionality will later be merged into
emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.

[N] indicates that the system might be affected.


___________________
In the above case, a new glsa (glsa-200509-03) has been issued, but it
doesnt apply.  On my todo list is to filter and summarize so all I get
is whats new, and what applies to me!

BillK


On Tue, 2005-09-06 at 23:12 -0700, Michael Irey wrote:
> To make it easy I have added these 2 lines to my crontab
> 
> 10 2 * * * /usr/bin/emerge --sync 2> /dev/null 
> > /root/tmp/daily-emerge-sync.txt
> 50 2 * * * /usr/bin/glsa-check -ln 2> /dev/null | grep ' \[N\]'
> 
> Then every morning I get an email if there are packages with vulnerabilities.
> 
> I can decide manually the priority.  Because I dont want apache updating 
> itself in the middle of the night... I do it manually, from my emailed list.
> 
> 
> On Tuesday 06 September 2005 02:53 pm, Jeremy Brake wrote:
> > Hey,
> >
> > Is there anything in Portage which will allow me to view security
> > updates, seperate from general version updates?
> > At the moment i have a 5am cron job which runs "emerge --sync && emerge
> > -upvD world" , and i just glance at it as soon as I i sit down at my pc
> > for the day.
> > The problem here is that I cant tell if updates (eg, at the moment it
> > wants to update openssh and apache2) are security patches, or just
> > general version upgrades.
> >
> > I know i can use "system" instead of "world" and omit the -D option, but
> > thats not targeting my issue exactly. Is there a way to see which
> > updates are security patches, without having to manually trawl through
> > webpages and changelogs?
> >
> > Jeremy
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

Hi W.Kenworthy,
on Wednesday, 2005-09-07 at 14:48:08, you wrote:
> or to reduce bandwidth try this as the crontab command:
> 
> rsync --recursive --links --safe-links --perms --times --compress
                                                         ^^^^^^^^^^
IIRC you're not supposed to do this as it generates too much load on the
gentoo mirrors. Might depend on the individual server's policy but I
think that's the general rule.

regards
	Matthias
-- 
I prefer encrypted and signed messages.       KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46  B9 8A B9 E2 09 9F 3B 91

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-server] prioritising security updates

[William Kenworthy]

rattus src # grep -n compress `which emerge`
2425:                   "--compress",     # Compress the data
transmitted
rattus src #

Its in the arguments passed to rsync in the emerge script which is where
I got it from.  If emerge uses it ...

BillK


On Wed, 2005-09-07 at 17:28 +0200, Matthias Bethke wrote:
> Hi W.Kenworthy,
> on Wednesday, 2005-09-07 at 14:48:08, you wrote:
> > or to reduce bandwidth try this as the crontab command:
> > 
> > rsync --recursive --links --safe-links --perms --times --compress
>                                                          ^^^^^^^^^^
> IIRC you're not supposed to do this as it generates too much load on the
> gentoo mirrors. Might depend on the individual server's policy but I
> think that's the general rule.
> 
> regards
> 	Matthias
-- 
William Kenworthy <billk@iinet.net.au>
Home!
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

Hi William,
on Thursday, 2005-09-08 at 06:56:59, you wrote:
> Its in the arguments passed to rsync in the emerge script which is where
> I got it from.  If emerge uses it ...

Uh...yeah :) You got me to check the rsync-mirror HOWTO again, and
you're right, it only applies to the rsync1.us.gentoo.org server.

regards
	Matthias
-- 
I prefer encrypted and signed messages.       KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46  B9 8A B9 E2 09 9F 3B 91

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-server] prioritising security updates

[xyon]

I have a 'quick n dirty' script cron'd up that at the top lets me know
the security updates, below lets me know the version updates, and below
that displays the changelog of packages available for update:

-----------------------------------------------------------------------------

#!/bin/sh

emerge --sync

echo '***************************' > /tmp/updates.txt
echo '        System Updates     ' >> /tmp/updates.txt
echo '***************************' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo 'Critical Updates:' >> /tmp/updates.txt
glsa-check -l 2>/dev/null | grep '\[N\]' | grep -v 'indicates that'|cut
-d ']' -f2 >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo 'Non-Critical Updates:' >> /tmp/updates.txt
emerge -up world >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo 'Changelogs:' >> /tmp/updates.txt
emerge -upl world >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt

mutt -s 'Server Updates' -i /tmp/updates.txt -x myuser@mydomain.com

rm /tmp/updates.txt

-----------------------------------------------------------------------


It actually comes out to a nicely formatted email. :)

HTH!

On Wed, 2005-09-07 at 09:53 +1200, Jeremy Brake wrote:
> Hey,
> 
> Is there anything in Portage which will allow me to view security 
> updates, seperate from general version updates?
> At the moment i have a 5am cron job which runs "emerge --sync && emerge 
> -upvD world" , and i just glance at it as soon as I i sit down at my pc 
> for the day.
> The problem here is that I cant tell if updates (eg, at the moment it 
> wants to update openssh and apache2) are security patches, or just 
> general version upgrades.
> 
> I know i can use "system" instead of "world" and omit the -D option, but 
> thats not targeting my issue exactly. Is there a way to see which 
> updates are security patches, without having to manually trawl through 
> webpages and changelogs?
> 
> Jeremy

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[A. Khattri]

On Wed, 7 Sep 2005, Jeremy Brake wrote:

> Is there anything in Portage which will allow me to view security
> updates, seperate from general version updates?
> At the moment i have a 5am cron job which runs "emerge --sync && emerge
> -upvD world" , and i just glance at it as soon as I i sit down at my pc
> for the day.
> The problem here is that I cant tell if updates (eg, at the moment it
> wants to update openssh and apache2) are security patches, or just
> general version upgrades.

Do a Google for "Gentoo glcu" - its a script that does all the updates and
security checks for you. I have it run from cron on all my servers.


-- 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[A. Khattri]

On Tue, 6 Sep 2005, Ben Munat wrote:

> Hmm, I haven't messed with jail in a while... Well, did you add the jailed user to the
> regular system with useradd? In other words, there are two steps to adding a jailed user:
> add the user to the regular system with useradd and a shell of /usr/bin/jail and then add
> the user to jail with addjailuser and a shell of /bin/bash. Oh, and the /usr/bin/jail
> shell needs to be in /etc/shells.

Incidently, you can use libnss-mysql to avoid having to create an actual
system account if you need "true" virtual users.


-- 

-- 
gentoo-server@gentoo.org mailing list

RE: [gentoo-server] prioritising security updates

[Christopher Schwerdt]

> -----Original Message-----
> From: Jeremy Brake [mailto:gentoolists@lunatic.net.nz] 
> Sent: Tuesday, September 06, 2005 3:53 PM
> To: gentoo-server@lists.gentoo.org
> Subject: [gentoo-server] prioritising security updates
> 
> Hey,
> 
> Is there anything in Portage which will allow me to view security 
> updates, seperate from general version updates?

Install gentoolkit if you haven't already and run "glsa-check -t all".
It will show you all GLSA's that affect your currently installed
packages.  You can then "glsa-check -d YYYYMM-DD" to view the resolution
(i.e. what packages to emerge) of the security update.

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Jeremy Brake]

[-- Attachment #1: Type: text/html, Size: 1366 bytes --]

Re: [gentoo-server] prioritising security updates

[Ben Munat]

Christopher Schwerdt wrote:
>>-----Original Message-----
>>From: Jeremy Brake [mailto:gentoolists@lunatic.net.nz] 
>>Sent: Tuesday, September 06, 2005 3:53 PM
>>To: gentoo-server@lists.gentoo.org
>>Subject: [gentoo-server] prioritising security updates
>>
>>Hey,
>>
>>Is there anything in Portage which will allow me to view security 
>>updates, seperate from general version updates?
> 
> 
> Install gentoolkit if you haven't already and run "glsa-check -t all".
> It will show you all GLSA's that affect your currently installed
> packages.  You can then "glsa-check -d YYYYMM-DD" to view the resolution
> (i.e. what packages to emerge) of the security update.
> 

Curious. When I run "glsa-check -t all" and it comes back with 17 hits. However, I have a 
script that runs "emerge sync" and "emerge -p world" every night and another one that runs 
"emerge -puD world" every Saturday. I am currently completely up to date on these except 
libxml wants to be updated on "-uD".

So, how do I wind up with 17 packages that need to be updated? Hmm, perhaps these are all 
packages on my system that are neither in my world file nor depdencies of stuff in my 
world file? Would that then make them orphaned? And theoretically safe to delete? How does 
one find out if a specific package is required by any other packages again?

b

PS: to the O.P... you can also subscribe to "gentoo-announce@lists.gentoo.org". I am and 
have a mail filter route it into a glsa folder (it's 99.999% glsa anyway).


-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Sune Kloppenborg Jeppesen]

On Wednesday 07 September 2005 04:04, Ben Munat wrote:
> Christopher Schwerdt wrote:
> Curious. When I run "glsa-check -t all" and it comes back with 17 hits.
> However, I have a script that runs "emerge sync" and "emerge -p world"
> every night and another one that runs "emerge -puD world" every Saturday. I
> am currently completely up to date on these except libxml wants to be
> updated on "-uD".
>
> So, how do I wind up with 17 packages that need to be updated? Hmm, perhaps
> these are all packages on my system that are neither in my world file nor
> depdencies of stuff in my world file? Would that then make them orphaned?
> And theoretically safe to delete? How does one find out if a specific
> package is required by any other packages again?
Only packages you explicitly emerge are recorded in the world profile 
(/var/lib/portage/world) dependencies are not. See the man pages for portage 
and emerge for more details.

HTH

-- 
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team
http://security.gentoo.org
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Ben Munat]

Sune Kloppenborg Jeppesen wrote:
> On Wednesday 07 September 2005 04:04, Ben Munat wrote:
> 
>>So, how do I wind up with 17 packages that need to be updated? Hmm, perhaps
>>these are all packages on my system that are neither in my world file nor
>>depdencies of stuff in my world file? Would that then make them orphaned?
>>And theoretically safe to delete? How does one find out if a specific
>>package is required by any other packages again?
> 
> Only packages you explicitly emerge are recorded in the world profile 
> (/var/lib/portage/world) dependencies are not. See the man pages for portage 
> and emerge for more details.
> 
> HTH
> 

Thanks... however, I knew this much -- found that I have to be careful with this when 
getting going on a new gentoo system. It's handy to say "emerge somephpapp" and get php 
and mysql in the process... except then they're not in my world file.... though I suppose 
I can always just add them by hand.

But doing an "emerge -D world" should find any dependencies of anything in the world file 
that need updating, right? So, my questions still stand: are these packages that 
glsa-check is finding stuff that other packages depended on at one point -- so they got 
pulled in -- but are now no longer needed? And what tool can I use to ascertain this? 
"emerge --depclean" is basically useless... it always wants to uninstall things that I'm 
fairly sure are needed. "etcat" doesn't seem to have anything for finding dependecies. And 
"equery depends" is still "unimplemented"... (though I thought I'd used that at one point 
but it seems to find no results for everything I try).

Ideas anyone? What do you use to keep orphaned packages off your system?

b
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Jonas 'data' Fietz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi


> 
> Ideas anyone? What do you use to keep orphaned packages off your system?
> 

I'd suggest a simple
"emerge --depclean --ask world"
But you should take the warnings in the beginning seriously :)

Jonas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJ1H5ydrGfzV1md0RAjkBAKCFYV16NvITXAvJhVJ8tih7bos+9gCfb18m
E+SngfJQD6GDweaSo/XHRbU=
=hCfV
-----END PGP SIGNATURE-----
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Yogesh Sharma]

Hi,

I usually do :

emerge -np `qpkg -I -nc`

once verified I do:

emerge -n `qpkg -I -nc`

or  emerge individual package from -p output.

Thanks,
YS

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Ben Munat]

Yogesh Sharma wrote:
> Hi,
> 
> I usually do :
> 
> emerge -np `qpkg -I -nc`
> 
> once verified I do:
> 
> emerge -n `qpkg -I -nc`
> 
> or  emerge individual package from -p output.

This is pretty cool... thanks.

One interesting thing though: currently on my home machine, doing:

emerge -np `qpkg -I -nc`

or

emerge -p world

or

emerge -puD world

brings up three different orders for the list of packages to emerge. The "-p world" has 
fewer packages, but the other two have the same number but in different orders. I suppose 
that might just mean that order's not really significant in this case.

b
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Yogesh Sharma]

Hi,

1. emerge -p world is basic emerge, it checks only packages written to
world file.

2. emerge -puD world is better then emerge -p as it does deep scan.

--update (-u)
              Updates  packages  to  the best version available, which
may not
              always be the highest version number due to masking for 
testing
              and  development.   This  will  also  update direct
dependencies
              which may not be what you want.  In  general,  use  this 
option
              only in combination with the world or system target.

--deep (-D)
              When used in conjunction with --update, this flag forces 
emerge
              to  consider  the entire dependency tree of packages,
instead of
              checking only the immediate dependencies of the packages. 
As an
              example, this catches updates in libraries that are not
directly
              listed in the dependencies of a package."

3.  emerge -np `qpkg -I -nc`  is my version of  -uD which I checks for
all installed packed including those are missed by -uD.

Thanks
YS

Ben Munat wrote:

> Yogesh Sharma wrote:
>
>> Hi,
>>
>> I usually do :
>>
>> emerge -np `qpkg -I -nc`
>>
>> once verified I do:
>>
>> emerge -n `qpkg -I -nc`
>>
>> or  emerge individual package from -p output.
>
>
> This is pretty cool... thanks.
>
> One interesting thing though: currently on my home machine, doing:
>
> emerge -np `qpkg -I -nc`
>
> or
>
> emerge -p world
>
> or
>
> emerge -puD world
>
> brings up three different orders for the list of packages to emerge.
> The "-p world" has fewer packages, but the other two have the same
> number but in different orders. I suppose that might just mean that
> order's not really significant in this case.
>
> b



-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Ben Munat]

Yogesh Sharma wrote:
> 
> 3.  emerge -np `qpkg -I -nc`  is my version of  -uD which I checks for
> all installed packed including those are missed by -uD.

Thanks Yogesh. I understand the difference between the commands. In my case, the 
combination of emerge and qpkg didn't find anything that -uD was missing, probably because 
this home machine is a fresh reinstall (disk died).

What I thought was strange was that, even though both commands returned the same exact 
list of packages to update, they were in a different order. I suppose that this was 
because qpkg is just supplying command line args to emerge, and if the packages don't have 
dependencies on each other, emerge is happy to do them in the order they appear on the 
command line. Not sure what would determine the order that -uD gets...

Thanks again for the tip though; hadn't thought to use qpkg as input to emerge and hadn't 
noticed that -n switch on emerge.

b
-- 
gentoo-server@gentoo.org mailing list