| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Wednesday 24 March 2004 15:44, Paul Smith wrote: |
| 5 |
> This isn't what I'm looking for, actually. I want to be able to build |
| 6 |
> an install area with complete freedom from my "real" desktop. I want |
| 7 |
> to build with completely different versions of all sorts of tools than |
| 8 |
> the ones on my "real" system, without having to install them on my |
| 9 |
> real system. |
| 10 |
|
| 11 |
This is exactly what chroot does. There is not really a way to avoid it |
| 12 |
either as there are many packages which rely on certain locations for |
| 13 |
certain files. In many cases it is possible to say those files exist in |
| 14 |
$ROOT but then it would not work if that root would become the real |
| 15 |
root. |
| 16 |
|
| 17 |
> Then, if people wanted a 100% divorced install they could set |
| 18 |
> BUILDROOT==ROOT==something besides "/". As a result, nothing on the |
| 19 |
> "real" system (well, except for things like sh and python to run the |
| 20 |
> Portage tools themselves--which is OK) would be used. |
| 21 |
> |
| 22 |
> This is how we use Portage actually: we first create a "host" image |
| 23 |
> which contains all the build tools (cross compilers, build system, |
| 24 |
> Portage itself, etc.) Then we use that "host" image to generate the |
| 25 |
> other images. In this way the entire environment can be created with |
| 26 |
> no special privileges or access, and without impacting the contents of |
| 27 |
> the "real" system at all. |
| 28 |
> |
| 29 |
> |
| 30 |
> The other change I would like to see is a way to avoid the requirement |
| 31 |
> for root access. These extra "images" I'm creating don't need to be |
| 32 |
> installed as root, because I'm creating them in my own area. Not only |
| 33 |
> that, but if there's a personal BUILDROOT then even _THAT_ doesn't |
| 34 |
> require root access; it could also be an image I've built myself. |
| 35 |
|
| 36 |
We need root access for being able to give packages the right |
| 37 |
permissions. There might possibly be a way around it for creating binary |
| 38 |
packages, but that would probably require either some LD_PRELOAD magic |
| 39 |
(like sandbox) or custom kernel modules to record the owners of files. |
| 40 |
|
| 41 |
What you might try is user mode linux. What I understand from it it is |
| 42 |
possible to run it as a normal user. |
| 43 |
|
| 44 |
> In that past when dealing with permissions I've had good results using |
| 45 |
> an idea taken from UNIX's sticky bit: instead of requiring the user to |
| 46 |
> configure some account you just use the owner of the upper directory |
| 47 |
> and apply that to the contents. In this situation, we would find the |
| 48 |
> owner of the ROOT and/or BUILDROOT directories and use that as the |
| 49 |
> required owner instead of hardcoding "root" in Portage. Obviously a |
| 50 |
> little bit of logic has to enter in here: if the owner of either ROOT |
| 51 |
> or BUILDROOT is root then you must be root; if the owner of neither of |
| 52 |
> them is root then they must be the same. Another safety measure might |
| 53 |
> be that if either was "/", then you have to be root (just in case |
| 54 |
> someone accidentally chowns their "/" directory). For example. |
| 55 |
|
| 56 |
Some files in the apache package are owned by the apache user. There are |
| 57 |
many other packages with non-default owned files. That is essential for |
| 58 |
the security, and it is not possible without big changes to those |
| 59 |
ebuilds to actually use them when install is not performed as root. |
| 60 |
|
| 61 |
> I'm willing to supply patches for these things if it seems like |
| 62 |
> something people are interested in. |
| 63 |
|
| 64 |
Before you do, try to build a full system with what you have. I think you |
| 65 |
will meet many of the above problems. |
| 66 |
|
| 67 |
Paul |
| 68 |
|
| 69 |
- -- |
| 70 |
Paul de Vrieze |
| 71 |
Gentoo Developer |
| 72 |
Mail: pauldv@g.o |
| 73 |
Homepage: http://www.devrieze.net |
| 74 |
-----BEGIN PGP SIGNATURE----- |
| 75 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 76 |
|
| 77 |
iD8DBQFAYaU/bKx5DBjWFdsRAmchAJ9IdqJJQkcNDIlTNUvih6S4wYJoqQCdE5UY |
| 78 |
wgC+FwTUU0hqopG1jIQujlw= |
| 79 |
=Z3dY |
| 80 |
-----END PGP SIGNATURE----- |
| 81 |
|
| 82 |
-- |
| 83 |
gentoo-dev@g.o mailing list |
Archives