| 1 |
On Tue, 6 Apr 2004 18:20:43 +0000 |
| 2 |
Dadi <thewalrus@××××××××××××××.org> wrote: |
| 3 |
|
| 4 |
> Hello all, |
| 5 |
> I am new to gentoo and I was wondering what is this 'sandbox(ing)'. |
| 6 |
> I couldn't find anything valuable on google. |
| 7 |
> I heard it has something to do with security(hopefully I send to the right group). |
| 8 |
|
| 9 |
The entire build process for a given package is conducted within a sandbox. Typically, the build process would imply the classic ./configure, make, make install routine. |
| 10 |
|
| 11 |
The actual notion is not dissimilar to that of a chroot. If (and _only_ if) the build process completes in its entirety are the resultant binaries/files "merged" into your main filesystem. If at any time the build process triggers an action which attempts to write outside of the sandbox, then that is considered to be an access violation, and will trigger an exception in Portage. The sandboxes are created under a directory following the name of the package, beneath /var/tmp/portage (by default). |
| 12 |
|
| 13 |
The general idea is to stop a build process from being able to branch out and affect any part of your filesystem it so chooses, whether maliciously or otherwise. It also avoids the possible situation where your filesystem may end up being cluttered with redundant files after a failed or abortive build process. |
| 14 |
|
| 15 |
Portage retains control over the merging process after a successful build to ensure that redundant files are removed where necessary (in the case of an upgrade) and that important files are not wantonly clobbered (notably, those under /etc or other directories which contain the file ".keep" if I recall correctly). |
| 16 |
|
| 17 |
> All I know is when I have FEATURES="-sandbox", openoffice 1.1.1 compiles. Otherwise, not. |
| 18 |
|
| 19 |
That should be directed toward bugs.gentoo.org with as much information as you are able to supply (having checked for a duplicate bug report first ;). Some Makefiles are really unpleasant and need to be patched to avoid silly behaviour. |
| 20 |
|
| 21 |
--Kerin Millar |
| 22 |
|
| 23 |
-- |
| 24 |
gentoo-security@g.o mailing list |
Archives