1 |
Chris L. Mason wrote: |
2 |
|
3 |
>On Fri, 1 Oct 2004 11:30:42 +0200, Paul de Vrieze <pauldv@g.o> wrote: |
4 |
>... |
5 |
> |
6 |
> |
7 |
>>Sandbox should never ever be regarded as a security measure. It isn't. It |
8 |
>>is almost trivial to subvert the sandbox. The reason for it's |
9 |
>>effectiveness is solely that it's purpose is to protect against |
10 |
>>accidental installing outside of the destination directory and so |
11 |
>>subverting the package management (in short protecting against bad |
12 |
>>makefiles and ebuilds). It IS NOT SECURE. |
13 |
>> |
14 |
>> |
15 |
>> |
16 |
> |
17 |
>So, if builds (and installs to temporary target) were done as a |
18 |
>regular user, wouldn't that obviate the need for a sandbox at all? |
19 |
>Also, this would make things a lot safer on macos (and presumably |
20 |
>BSD), where the sandbox does not work. |
21 |
> |
22 |
> |
23 |
> |
24 |
Strictly speaking, you may be more secure if you compile as a non-root |
25 |
user but it doesn't fit its purpose which is make sure you don't put |
26 |
files outside /var/tmp/portage/$P. As joe, you could write in /home/joe |
27 |
and violate the restriction. |
28 |
Besides, don't we trust gentoo dev? Or main site of a particular |
29 |
package? If not, why the hell do we install their program(s) in the |
30 |
first place? |
31 |
|
32 |
Sandbox _is_ what portage need. Not security but a safe net in case |
33 |
something is screwed up. |