1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Wednesday 24 March 2004 15:44, Paul Smith wrote: |
5 |
> This isn't what I'm looking for, actually. I want to be able to build |
6 |
> an install area with complete freedom from my "real" desktop. I want |
7 |
> to build with completely different versions of all sorts of tools than |
8 |
> the ones on my "real" system, without having to install them on my |
9 |
> real system. |
10 |
|
11 |
This is exactly what chroot does. There is not really a way to avoid it |
12 |
either as there are many packages which rely on certain locations for |
13 |
certain files. In many cases it is possible to say those files exist in |
14 |
$ROOT but then it would not work if that root would become the real |
15 |
root. |
16 |
|
17 |
> Then, if people wanted a 100% divorced install they could set |
18 |
> BUILDROOT==ROOT==something besides "/". As a result, nothing on the |
19 |
> "real" system (well, except for things like sh and python to run the |
20 |
> Portage tools themselves--which is OK) would be used. |
21 |
> |
22 |
> This is how we use Portage actually: we first create a "host" image |
23 |
> which contains all the build tools (cross compilers, build system, |
24 |
> Portage itself, etc.) Then we use that "host" image to generate the |
25 |
> other images. In this way the entire environment can be created with |
26 |
> no special privileges or access, and without impacting the contents of |
27 |
> the "real" system at all. |
28 |
> |
29 |
> |
30 |
> The other change I would like to see is a way to avoid the requirement |
31 |
> for root access. These extra "images" I'm creating don't need to be |
32 |
> installed as root, because I'm creating them in my own area. Not only |
33 |
> that, but if there's a personal BUILDROOT then even _THAT_ doesn't |
34 |
> require root access; it could also be an image I've built myself. |
35 |
|
36 |
We need root access for being able to give packages the right |
37 |
permissions. There might possibly be a way around it for creating binary |
38 |
packages, but that would probably require either some LD_PRELOAD magic |
39 |
(like sandbox) or custom kernel modules to record the owners of files. |
40 |
|
41 |
What you might try is user mode linux. What I understand from it it is |
42 |
possible to run it as a normal user. |
43 |
|
44 |
> In that past when dealing with permissions I've had good results using |
45 |
> an idea taken from UNIX's sticky bit: instead of requiring the user to |
46 |
> configure some account you just use the owner of the upper directory |
47 |
> and apply that to the contents. In this situation, we would find the |
48 |
> owner of the ROOT and/or BUILDROOT directories and use that as the |
49 |
> required owner instead of hardcoding "root" in Portage. Obviously a |
50 |
> little bit of logic has to enter in here: if the owner of either ROOT |
51 |
> or BUILDROOT is root then you must be root; if the owner of neither of |
52 |
> them is root then they must be the same. Another safety measure might |
53 |
> be that if either was "/", then you have to be root (just in case |
54 |
> someone accidentally chowns their "/" directory). For example. |
55 |
|
56 |
Some files in the apache package are owned by the apache user. There are |
57 |
many other packages with non-default owned files. That is essential for |
58 |
the security, and it is not possible without big changes to those |
59 |
ebuilds to actually use them when install is not performed as root. |
60 |
|
61 |
> I'm willing to supply patches for these things if it seems like |
62 |
> something people are interested in. |
63 |
|
64 |
Before you do, try to build a full system with what you have. I think you |
65 |
will meet many of the above problems. |
66 |
|
67 |
Paul |
68 |
|
69 |
- -- |
70 |
Paul de Vrieze |
71 |
Gentoo Developer |
72 |
Mail: pauldv@g.o |
73 |
Homepage: http://www.devrieze.net |
74 |
-----BEGIN PGP SIGNATURE----- |
75 |
Version: GnuPG v1.2.4 (GNU/Linux) |
76 |
|
77 |
iD8DBQFAYaU/bKx5DBjWFdsRAmchAJ9IdqJJQkcNDIlTNUvih6S4wYJoqQCdE5UY |
78 |
wgC+FwTUU0hqopG1jIQujlw= |
79 |
=Z3dY |
80 |
-----END PGP SIGNATURE----- |
81 |
|
82 |
-- |
83 |
gentoo-dev@g.o mailing list |