1 |
Hello, developers. |
2 |
|
3 |
I've been doing some research wrt use of RESTRICT=userpriv [1] lately |
4 |
and found out that most of the affected packages use it solely to gain |
5 |
access to files or devices that are restricted to specific groups. I've |
6 |
specifically noted three cases: |
7 |
|
8 |
1) ebuilds using CUDA that needed to access /dev/nvidia* (restricted to |
9 |
video group), |
10 |
|
11 |
2) game ebuilds that needed to access game executables (restricted to |
12 |
games group but hopefully subject to change), |
13 |
|
14 |
3) qmail-related ebuilds that needed to access restricted files (no |
15 |
details yet). |
16 |
|
17 |
I believe that most (if not all) of uses of RESTRICT=userpriv are |
18 |
overkill. It implies elevating privileges for the whole build process |
19 |
while what's really needed is an access to a particular file or device, |
20 |
or a capability of some kind for a single command execution. |
21 |
|
22 |
I would therefore like to ask the Community for ideas on how |
23 |
RESTRICT=userpriv could be effectively replaced by something safer. |
24 |
|
25 |
|
26 |
I can enumerate the following possibilities: |
27 |
|
28 |
a) explicitly requesting user to alter group membership for the build |
29 |
user. This is already done in some of the CUDA ebuilds. |
30 |
|
31 |
Advantages: |
32 |
|
33 |
- limits elevated privileges to a particular group access, |
34 |
|
35 |
- works now. |
36 |
|
37 |
Disadvantages: |
38 |
|
39 |
- requires manual intervention (we even can't properly name the user |
40 |
since there's no PMS function/variable to obtain it), |
41 |
|
42 |
- increases privileges for all ebuilds rather than the one needing it. |
43 |
Developers using it will not get proper failures for ebuilds not |
44 |
having the check, |
45 |
|
46 |
- doesn't cover other uses of FEATURES=userpriv. |
47 |
|
48 |
|
49 |
b) SUPPLEMENTARY_GROUPS support [2]. The idea is to use setgroups() to |
50 |
transparently enable group membership for the build process. |
51 |
|
52 |
Advantages: |
53 |
|
54 |
- transparent, relatively simple. |
55 |
|
56 |
Disadvantages: |
57 |
|
58 |
- quite ugly name ;), |
59 |
|
60 |
- doesn't cover other uses of FEATURES=userpriv. |
61 |
|
62 |
|
63 |
c) 'esudo' helper [3]. This is a more generic form of (2), with support |
64 |
for other potential privilege changes. |
65 |
|
66 |
Advantages: |
67 |
|
68 |
- allows to raise privileges precisely for one command, |
69 |
|
70 |
- flexible -- may alter EUID, EGID, groups, capabilities. |
71 |
|
72 |
Disadvantages: |
73 |
|
74 |
- hard to implement -- especially if we want to make it capable of |
75 |
running bash functions. |
76 |
|
77 |
|
78 |
What do you think? Do you have other ideas? |
79 |
|
80 |
|
81 |
[1]:https://bugs.gentoo.org/show_bug.cgi?id=516568 |
82 |
[2]:https://bugs.gentoo.org/show_bug.cgi?id=516614 |
83 |
[3]:https://bugs.gentoo.org/show_bug.cgi?id=516616 |
84 |
|
85 |
-- |
86 |
Best regards, |
87 |
Michał Górny |