From: Kerin Millar <kerframil@fastmail.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] User eix-sync permissions problem
Date: Tue, 11 Feb 2014 02:11:23 +0000 [thread overview]
Message-ID: <52F986CB.5060408@fastmail.co.uk> (raw)
In-Reply-To: <20140211012302.GA20423@waltdnes.org>
On 11/02/2014 01:23, Walter Dnes wrote:
> On Tue, Feb 11, 2014 at 12:28:43AM +0000, Kerin Millar wrote
>> On 10/02/2014 23:57, Walter Dnes wrote:
>>>
>>> What's the point, if you still have to run as root (or su or sudo) for
>>> the emerge update process?
>>
>> It's the principle of least privilege. Is there any specific reason for
>> portage to fork and exec rsync as root? Is rsync sandboxed? Should rsync
>> have unfettered read/write access to all mounted filesystems? Can it be
>> guaranteed that rsync hasn't been compromised? Can it be guaranteed that
>> PORTAGE_RSYNC_OPTS will contain safe options at all times?
>>
>> The answer to all of these questions is "no". Basically, the combination
>> of usersync and non-root ownership of PORTDIR hardens the process in a
>> sensible way while conferring no disadvantage.
>
> If /usr/portage is owned by portage:portage, then wouldn't a user
> (member of portage) be able to do mischief by tweaking ebuilds? E.g.
> modify an ebuild to point to a tarball located on a usb stick, at
> http://127.0.0.1/media/sdc1/my_tarball.tgz. This would allow a local
> user to supply code that gets built and then installed in /usr/bin, or
> /sbin, etc.
Yes, but only if the group write bit is set throughout PORTDIR. By
default, rsync - as invoked by portage - preserves the permission bits
from the remote and the files stored by the mirrors do not have this bit
set.
What I have described elsewhere is a method for ensuring that the group
write bit is set. In that case, your concern is justified; you would
definitely not want to grant membership of the portage group to anyone
that you couldn't trust in this context.
--Kerin
next prev parent reply other threads:[~2014-02-11 2:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 16:05 [gentoo-user] User eix-sync permissions problem Stroller
2014-02-10 16:55 ` Gleb Klochkov
2014-02-10 17:09 ` Stroller
2014-02-10 19:03 ` Walter Dnes
2014-02-10 19:29 ` Alan McKinnon
2014-02-10 23:10 ` Kerin Millar
2014-02-10 23:57 ` Walter Dnes
2014-02-11 0:05 ` Stroller
2014-02-11 0:12 ` Stroller
2014-02-11 0:28 ` Kerin Millar
2014-02-11 1:23 ` Walter Dnes
2014-02-11 2:11 ` Kerin Millar [this message]
2014-02-11 2:50 ` Mike Gilbert
2014-02-11 5:41 ` Alan McKinnon
2014-02-11 5:32 ` Alan McKinnon
2014-02-11 11:07 ` Walter Dnes
2014-02-11 11:12 ` Neil Bothwick
2014-02-11 12:14 ` Alan McKinnon
2014-02-10 19:40 ` Kerin Millar
2014-02-10 19:45 ` [gentoo-user] " eroen
2014-02-10 18:45 ` [gentoo-user] " Alan McKinnon
2014-02-10 20:30 ` Kerin Millar
2014-02-11 1:03 ` Kerin Millar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F986CB.5060408@fastmail.co.uk \
--to=kerframil@fastmail.co.uk \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox