From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DCBBA138CE3 for ; Mon, 10 Feb 2014 19:46:04 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 061D9E0CE5; Mon, 10 Feb 2014 19:46:00 +0000 (UTC) Received: from faith.eroen.eu (faith.eroen.eu [178.79.147.241]) by pigeon.gentoo.org (Postfix) with ESMTP id C96D0E0CCC for ; Mon, 10 Feb 2014 19:45:58 +0000 (UTC) Received: from falcon.eroen.eu (unknown [10.10.0.26]) by faith.eroen.eu (Postfix) with ESMTP id ABE4C2402E for ; Mon, 10 Feb 2014 19:51:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=falcon.eroen.eu; s=faith; t=1392061901; bh=ZGSQzT9rCExRpVT6UocqHKmRAMztTRXRzfOFj0mS5L0=; h=Date:From:To:Subject:In-Reply-To:References; b=yKbubyuiws33CkNdCXjuj5rti2UOBeirnMAsRIcy66bmRt4PpyLD/gp3x0M5Zxwd6 L3F8ZY9JB2d0rQOA4bzakY/hHcaS2IkvPqWtLJd8LCcmCfvmMXnj6D5zJgvQClzv0a 1n0z2bXVkO/lD7JM3d9uTdS+15VdokMmPIAEFrl8= Date: Mon, 10 Feb 2014 20:45:52 +0100 From: eroen To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: User eix-sync permissions problem Message-ID: <20140210204552.77b43b15@falcon.eroen.eu> In-Reply-To: <20140210190344.GB17128@waltdnes.org> References: <197AEEF5-2BA3-43BF-944E-A5C4230D4CFB@stellar.eclipse.co.uk> <20140210190344.GB17128@waltdnes.org> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/V/eQ/I.HasU+g5QYDq2d74d"; protocol="application/pgp-signature" X-Archives-Salt: 84c20fdf-1fc8-462f-b09c-18f5c67a0c65 X-Archives-Hash: 470eeb6230264224b9e6f2eb95ae0dbc --Sig_/V/eQ/I.HasU+g5QYDq2d74d Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 10 Feb 2014 14:03:44 -0500, "Walter Dnes" wrote: > On Mon, Feb 10, 2014 at 05:09:55PM +0000, Stroller wrote > >=20 > > On Mon, 10 February 2014, at 4:55 pm, Gleb Klochkov > > wrote: > >=20 > > > Hi. Try to use sudo with no password for eix-sync. > >=20 > > I'd really rather not. Thanks, though. >=20 > Being in group "portage" is not enough. That merely lets you do > emerges with "--pretend". "emerge --sync" modifies files in > /usr/portage. Files and directories in /usr/portage/ are user:group > root:root. Therefore you *NEED* root-level permission to modify them. > No ifs/ands/ors/buts. The overall easiest method is to (as root)... > * "emerge sudoers" if it's not installed > * "visudo -f /etc/sudoers.d/001" (or whatever you want to call the > file) > * set up the file. Here's a fragment from my system, with user > "waltdnes" and machine name "i660" > waltdnes i660 =3D (root) NOPASSWD: /usr/sbin/hibernate > waltdnes i660 =3D (root) NOPASSWD: /sbin/fdisk -l >=20 > I could manually type the command with sudo, but I'm lazy. In my > /home/waltdnes/bin directory, I have a file "hb" >=20 > #!/bin/bash > sync > sleep 15 > sudo /usr/sbin/hibernate >=20 > and file "fdl" >=20 > #!/bin/bash > sudo /sbin/fdisk -l >=20 > To sync the machine, I could add to /etc/sudoers.d/001 >=20 > waltdnes i660 =3D (root) NOPASSWD: /usr/bin/emerge --sync >=20 > and create (as waltdnes) /home/waltdnes/emsy >=20 > #!/bin/bash > /usr/bin/emerge --sync >=20 > For security, I strongly recommend that the full path of the > executable be specified, as well as any options. Do not use the $* > commandline parameter in the sudoers file. It probably works, but is > too wide open. >=20 eroen@falcon ~ $ wget -O - 'http://mirrors.eu.kernel.org/gentoo/snapshots/p= ortage-20140209.tar.xz' 2>/dev/null | tar tvJ | head -n 10 = = =20 drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/ = =20 -rw-r--r-- portage/portage 1232 2013-03-05 22:31 portage/skel.metadata.xml = =20 drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/sec-policy/ = =20 drwxr-xr-x portage/portage 0 2014-01-12 21:31 portage/sec-policy/selinux= -thunderbird/ -rw-r--r-- portage/portage 448 2012-10-13 18:31 portage/sec-policy/selinux= -thunderbird/selinux-thunderbird-9999.ebuild -rw-r--r-- portage/portage 10496 2014-01-12 21:31 portage/sec-policy/selinu= x-thunderbird/Manifest -rw-r--r-- portage/portage 476 2013-02-23 18:31 portage/sec-policy/selinu= x-thunderbird/selinux-thunderbird-2.20120725-r11.ebuild -rw-r--r-- portage/portage 475 2012-12-13 11:31 portage/sec-policy/selinu= x-thunderbird/selinux-thunderbird-2.20120725-r8.ebuild -rw-r--r-- portage/portage 475 2013-08-15 09:01 portage/sec-policy/selinu= x-thunderbird/selinux-thunderbird-2.20130424-r2.ebuild -rw-r--r-- portage/portage 475 2012-10-04 20:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r5.eb= uild For portage's (default-enabled) FEATURES=3D"usersync" to work (dropping privileges when syncing as root), /usr/portage must be writeable by portage:portage. The tree snapshots have not always had this permissions setup, so mature installs would require manual intervention at some point, either updating the permissions or disabling usersync. Still, the files are not group-writeable by default, so portage group membership would not be sufficient. I would suggest a solution based on su/sudo, as merely changing the permissions would need to be re-done if the tree is ever synced as root later. --=20 eroen --Sig_/V/eQ/I.HasU+g5QYDq2d74d Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJS+SxwAAoJELSISlJWmwxLxv4IAJRQ4COZGKP6NsobqatK0OdU nf8bNY9BDi0wZhP42IfOYMNiWoTyvPn7OrOyXo3vctY2IQQVSIgJez3OmLz7pdIA A12grngHvpJ1k8oWsAj11pv7CufLFqgimHUmVFF5afScN/UD13GA5Zog4M2Ivyxo bEd6DKGqcZlFa+jEd73ae0ghHz0ifPIJoSO4QCu5hCcHXg5B3eBQP7cvIHg8Ty9O 4ZnAJ5rtUSARKHFmnvBFsMcOM3V88ub7yAZIYoGVJ0rXV+Eb6f78VeiQU9MvG/39 zrwA0phoqZp9610huoNRZfdr264e9jSUpBaGkb7m75ExdUp7QY7d5j6V5r1IcIo= =AeR9 -----END PGP SIGNATURE----- --Sig_/V/eQ/I.HasU+g5QYDq2d74d--