From: eroen <eroen@falcon.eroen.eu>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: User eix-sync permissions problem
Date: Mon, 10 Feb 2014 20:45:52 +0100 [thread overview]
Message-ID: <20140210204552.77b43b15@falcon.eroen.eu> (raw)
In-Reply-To: <20140210190344.GB17128@waltdnes.org>
[-- Attachment #1: Type: text/plain, Size: 3822 bytes --]
On Mon, 10 Feb 2014 14:03:44 -0500, "Walter Dnes"
<waltdnes@waltdnes.org> wrote:
> On Mon, Feb 10, 2014 at 05:09:55PM +0000, Stroller wrote
> >
> > On Mon, 10 February 2014, at 4:55 pm, Gleb Klochkov
> > <glebiuskv@gmail.com> wrote:
> >
> > > Hi. Try to use sudo with no password for eix-sync.
> >
> > I'd really rather not. Thanks, though.
>
> Being in group "portage" is not enough. That merely lets you do
> emerges with "--pretend". "emerge --sync" modifies files in
> /usr/portage. Files and directories in /usr/portage/ are user:group
> root:root. Therefore you *NEED* root-level permission to modify them.
> No ifs/ands/ors/buts. The overall easiest method is to (as root)...
> * "emerge sudoers" if it's not installed
> * "visudo -f /etc/sudoers.d/001" (or whatever you want to call the
> file)
> * set up the file. Here's a fragment from my system, with user
> "waltdnes" and machine name "i660"
> waltdnes i660 = (root) NOPASSWD: /usr/sbin/hibernate
> waltdnes i660 = (root) NOPASSWD: /sbin/fdisk -l
>
> I could manually type the command with sudo, but I'm lazy. In my
> /home/waltdnes/bin directory, I have a file "hb"
>
> #!/bin/bash
> sync
> sleep 15
> sudo /usr/sbin/hibernate
>
> and file "fdl"
>
> #!/bin/bash
> sudo /sbin/fdisk -l
>
> To sync the machine, I could add to /etc/sudoers.d/001
>
> waltdnes i660 = (root) NOPASSWD: /usr/bin/emerge --sync
>
> and create (as waltdnes) /home/waltdnes/emsy
>
> #!/bin/bash
> /usr/bin/emerge --sync
>
> For security, I strongly recommend that the full path of the
> executable be specified, as well as any options. Do not use the $*
> commandline parameter in the sudoers file. It probably works, but is
> too wide open.
>
eroen@falcon ~ $ wget -O - 'http://mirrors.eu.kernel.org/gentoo/snapshots/portage-20140209.tar.xz' 2>/dev/null | tar tvJ | head -n 10
drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/
-rw-r--r-- portage/portage 1232 2013-03-05 22:31 portage/skel.metadata.xml
drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/sec-policy/
drwxr-xr-x portage/portage 0 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/
-rw-r--r-- portage/portage 448 2012-10-13 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-9999.ebuild
-rw-r--r-- portage/portage 10496 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/Manifest
-rw-r--r-- portage/portage 476 2013-02-23 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r11.ebuild
-rw-r--r-- portage/portage 475 2012-12-13 11:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r8.ebuild
-rw-r--r-- portage/portage 475 2013-08-15 09:01 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20130424-r2.ebuild
-rw-r--r-- portage/portage 475 2012-10-04 20:31
portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r5.ebuild
For portage's (default-enabled) FEATURES="usersync" to work (dropping
privileges when syncing as root), /usr/portage must be writeable by
portage:portage. The tree snapshots have not always had this
permissions setup, so mature installs would require manual intervention
at some point, either updating the permissions or disabling usersync.
Still, the files are not group-writeable by default, so portage group
membership would not be sufficient. I would suggest a solution based on
su/sudo, as merely changing the permissions would need to be re-done if
the tree is ever synced as root later.
--
eroen
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2014-02-10 19:46 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 16:05 [gentoo-user] User eix-sync permissions problem Stroller
2014-02-10 16:55 ` Gleb Klochkov
2014-02-10 17:09 ` Stroller
2014-02-10 19:03 ` Walter Dnes
2014-02-10 19:29 ` Alan McKinnon
2014-02-10 23:10 ` Kerin Millar
2014-02-10 23:57 ` Walter Dnes
2014-02-11 0:05 ` Stroller
2014-02-11 0:12 ` Stroller
2014-02-11 0:28 ` Kerin Millar
2014-02-11 1:23 ` Walter Dnes
2014-02-11 2:11 ` Kerin Millar
2014-02-11 2:50 ` Mike Gilbert
2014-02-11 5:41 ` Alan McKinnon
2014-02-11 5:32 ` Alan McKinnon
2014-02-11 11:07 ` Walter Dnes
2014-02-11 11:12 ` Neil Bothwick
2014-02-11 12:14 ` Alan McKinnon
2014-02-10 19:40 ` Kerin Millar
2014-02-10 19:45 ` eroen [this message]
2014-02-10 18:45 ` Alan McKinnon
2014-02-10 20:30 ` Kerin Millar
2014-02-11 1:03 ` Kerin Millar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140210204552.77b43b15@falcon.eroen.eu \
--to=eroen@falcon.eroen.eu \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox