| 1 |
Hello, developers. |
| 2 |
|
| 3 |
I've been doing some research wrt use of RESTRICT=userpriv [1] lately |
| 4 |
and found out that most of the affected packages use it solely to gain |
| 5 |
access to files or devices that are restricted to specific groups. I've |
| 6 |
specifically noted three cases: |
| 7 |
|
| 8 |
1) ebuilds using CUDA that needed to access /dev/nvidia* (restricted to |
| 9 |
video group), |
| 10 |
|
| 11 |
2) game ebuilds that needed to access game executables (restricted to |
| 12 |
games group but hopefully subject to change), |
| 13 |
|
| 14 |
3) qmail-related ebuilds that needed to access restricted files (no |
| 15 |
details yet). |
| 16 |
|
| 17 |
I believe that most (if not all) of uses of RESTRICT=userpriv are |
| 18 |
overkill. It implies elevating privileges for the whole build process |
| 19 |
while what's really needed is an access to a particular file or device, |
| 20 |
or a capability of some kind for a single command execution. |
| 21 |
|
| 22 |
I would therefore like to ask the Community for ideas on how |
| 23 |
RESTRICT=userpriv could be effectively replaced by something safer. |
| 24 |
|
| 25 |
|
| 26 |
I can enumerate the following possibilities: |
| 27 |
|
| 28 |
a) explicitly requesting user to alter group membership for the build |
| 29 |
user. This is already done in some of the CUDA ebuilds. |
| 30 |
|
| 31 |
Advantages: |
| 32 |
|
| 33 |
- limits elevated privileges to a particular group access, |
| 34 |
|
| 35 |
- works now. |
| 36 |
|
| 37 |
Disadvantages: |
| 38 |
|
| 39 |
- requires manual intervention (we even can't properly name the user |
| 40 |
since there's no PMS function/variable to obtain it), |
| 41 |
|
| 42 |
- increases privileges for all ebuilds rather than the one needing it. |
| 43 |
Developers using it will not get proper failures for ebuilds not |
| 44 |
having the check, |
| 45 |
|
| 46 |
- doesn't cover other uses of FEATURES=userpriv. |
| 47 |
|
| 48 |
|
| 49 |
b) SUPPLEMENTARY_GROUPS support [2]. The idea is to use setgroups() to |
| 50 |
transparently enable group membership for the build process. |
| 51 |
|
| 52 |
Advantages: |
| 53 |
|
| 54 |
- transparent, relatively simple. |
| 55 |
|
| 56 |
Disadvantages: |
| 57 |
|
| 58 |
- quite ugly name ;), |
| 59 |
|
| 60 |
- doesn't cover other uses of FEATURES=userpriv. |
| 61 |
|
| 62 |
|
| 63 |
c) 'esudo' helper [3]. This is a more generic form of (2), with support |
| 64 |
for other potential privilege changes. |
| 65 |
|
| 66 |
Advantages: |
| 67 |
|
| 68 |
- allows to raise privileges precisely for one command, |
| 69 |
|
| 70 |
- flexible -- may alter EUID, EGID, groups, capabilities. |
| 71 |
|
| 72 |
Disadvantages: |
| 73 |
|
| 74 |
- hard to implement -- especially if we want to make it capable of |
| 75 |
running bash functions. |
| 76 |
|
| 77 |
|
| 78 |
What do you think? Do you have other ideas? |
| 79 |
|
| 80 |
|
| 81 |
[1]:https://bugs.gentoo.org/show_bug.cgi?id=516568 |
| 82 |
[2]:https://bugs.gentoo.org/show_bug.cgi?id=516614 |
| 83 |
[3]:https://bugs.gentoo.org/show_bug.cgi?id=516616 |
| 84 |
|
| 85 |
-- |
| 86 |
Best regards, |
| 87 |
Michał Górny |
Archives