| 1 |
Chris L. Mason wrote: |
| 2 |
|
| 3 |
>On Fri, 1 Oct 2004 11:30:42 +0200, Paul de Vrieze <pauldv@g.o> wrote: |
| 4 |
>... |
| 5 |
> |
| 6 |
> |
| 7 |
>>Sandbox should never ever be regarded as a security measure. It isn't. It |
| 8 |
>>is almost trivial to subvert the sandbox. The reason for it's |
| 9 |
>>effectiveness is solely that it's purpose is to protect against |
| 10 |
>>accidental installing outside of the destination directory and so |
| 11 |
>>subverting the package management (in short protecting against bad |
| 12 |
>>makefiles and ebuilds). It IS NOT SECURE. |
| 13 |
>> |
| 14 |
>> |
| 15 |
>> |
| 16 |
> |
| 17 |
>So, if builds (and installs to temporary target) were done as a |
| 18 |
>regular user, wouldn't that obviate the need for a sandbox at all? |
| 19 |
>Also, this would make things a lot safer on macos (and presumably |
| 20 |
>BSD), where the sandbox does not work. |
| 21 |
> |
| 22 |
> |
| 23 |
> |
| 24 |
Strictly speaking, you may be more secure if you compile as a non-root |
| 25 |
user but it doesn't fit its purpose which is make sure you don't put |
| 26 |
files outside /var/tmp/portage/$P. As joe, you could write in /home/joe |
| 27 |
and violate the restriction. |
| 28 |
Besides, don't we trust gentoo dev? Or main site of a particular |
| 29 |
package? If not, why the hell do we install their program(s) in the |
| 30 |
first place? |
| 31 |
|
| 32 |
Sandbox _is_ what portage need. Not security but a safe net in case |
| 33 |
something is screwed up. |
Archives