From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0615C138CF8 for ; Tue, 11 Feb 2014 01:23:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 379C1E0C35; Tue, 11 Feb 2014 01:23:10 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.181]) by pigeon.gentoo.org (Postfix) with ESMTP id E169CE0B6D for ; Tue, 11 Feb 2014 01:23:08 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AiAFABK/CFHO+LKu/2dsb2JhbABErFGSPRdzgh4BAQU6EgozCxMFCRMSDwURFDeIDQQMsxiOCY1hgkhhA4hhhR2IDoV+iHCBXoMV X-IPAS-Result: AiAFABK/CFHO+LKu/2dsb2JhbABErFGSPRdzgh4BAQU6EgozCxMFCRMSDwURFDeIDQQMsxiOCY1hgkhhA4hhhR2IDoV+iHCBXoMV X-IronPort-AV: E=Sophos;i="4.84,565,1355115600"; d="scan'208";a="47248425" Received: from 206-248-178-174.dsl.teksavvy.com (HELO waltdnes.org) ([206.248.178.174]) by ironport2-out.teksavvy.com with SMTP; 10 Feb 2014 20:23:07 -0500 Received: by waltdnes.org (sSMTP sendmail emulation); Mon, 10 Feb 2014 20:23:02 -0500 From: "Walter Dnes" Date: Mon, 10 Feb 2014 20:23:02 -0500 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] User eix-sync permissions problem Message-ID: <20140211012302.GA20423@waltdnes.org> References: <197AEEF5-2BA3-43BF-944E-A5C4230D4CFB@stellar.eclipse.co.uk> <20140210190344.GB17128@waltdnes.org> <52F92894.2050809@gmail.com> <52F95C7A.6010903@fastmail.co.uk> <20140210235755.GA19782@waltdnes.org> <52F96EBB.2060703@fastmail.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52F96EBB.2060703@fastmail.co.uk> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: d0bd07ab-6fcd-41e2-a520-9dffb54dc355 X-Archives-Hash: 0c408bf9cf6d7e938b14daf527b9ab19 On Tue, Feb 11, 2014 at 12:28:43AM +0000, Kerin Millar wrote > On 10/02/2014 23:57, Walter Dnes wrote: > > > > What's the point, if you still have to run as root (or su or sudo) for > > the emerge update process? > > It's the principle of least privilege. Is there any specific reason for > portage to fork and exec rsync as root? Is rsync sandboxed? Should rsync > have unfettered read/write access to all mounted filesystems? Can it be > guaranteed that rsync hasn't been compromised? Can it be guaranteed that > PORTAGE_RSYNC_OPTS will contain safe options at all times? > > The answer to all of these questions is "no". Basically, the combination > of usersync and non-root ownership of PORTDIR hardens the process in a > sensible way while conferring no disadvantage. If /usr/portage is owned by portage:portage, then wouldn't a user (member of portage) be able to do mischief by tweaking ebuilds? E.g. modify an ebuild to point to a tarball located on a usb stick, at http://127.0.0.1/media/sdc1/my_tarball.tgz. This would allow a local user to supply code that gets built and then installed in /usr/bin, or /sbin, etc. -- Walter Dnes I don't run "desktop environments"; I run useful applications