[gentoo-user] Re: User eix-sync permissions problem - gentoo-user

From:	eroen <eroen@××××××××××××.eu>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Re: User eix-sync permissions problem
Date:	Mon, 10 Feb 2014 19:46:04
Message-Id:	`20140210204552.77b43b15@falcon.eroen.eu`
In Reply to:	Re: [gentoo-user] User eix-sync permissions problem by Walter Dnes

1

On Mon, 10 Feb 2014 14:03:44 -0500, "Walter Dnes"

2

<waltdnes@××××××××.org> wrote:

3

> On Mon, Feb 10, 2014 at 05:09:55PM +0000, Stroller wrote

4

> >

5

> > On Mon, 10 February 2014, at 4:55 pm, Gleb Klochkov

6

> > <glebiuskv@×××××.com> wrote:

7

> >

8

> > > Hi. Try to use sudo with no password for eix-sync.

9

> >

10

> > I'd really rather not. Thanks, though.

11

>

12

>   Being in group "portage" is not enough.  That merely lets you do

13

> emerges with "--pretend".  "emerge --sync" modifies files in

14

> /usr/portage.  Files and directories in /usr/portage/ are user:group

15

> root:root.  Therefore you *NEED* root-level permission to modify them.

16

> No ifs/ands/ors/buts.  The overall easiest method is to (as root)...

17

> * "emerge sudoers" if it's not installed

18

> * "visudo -f /etc/sudoers.d/001" (or whatever you want to call the

19

> file)

20

> * set up the file.  Here's a fragment from my system, with user

21

>   "waltdnes" and machine name "i660"

22

> waltdnes  i660 = (root) NOPASSWD: /usr/sbin/hibernate

23

> waltdnes  i660 = (root) NOPASSWD: /sbin/fdisk -l

24

>

25

>   I could manually type the command with sudo, but I'm lazy.  In my

26

> /home/waltdnes/bin directory, I have a file "hb"

27

>

28

> #!/bin/bash

29

> sync

30

> sleep 15

31

> sudo /usr/sbin/hibernate

32

>

33

> and file "fdl"

34

>

35

> #!/bin/bash

36

> sudo /sbin/fdisk -l

37

>

38

>   To sync the machine, I could add to /etc/sudoers.d/001

39

>

40

> waltdnes  i660 = (root) NOPASSWD: /usr/bin/emerge --sync

41

>

42

>   and create (as waltdnes) /home/waltdnes/emsy

43

>

44

> #!/bin/bash

45

> /usr/bin/emerge --sync

46

>

47

>   For security, I strongly recommend that the full path of the

48

> executable be specified, as well as any options.  Do not use the $*

49

> commandline parameter in the sudoers file.  It probably works, but is

50

> too wide open.

51

>

52

53

eroen@falcon ~ $ wget -O - 'http://mirrors.eu.kernel.org/gentoo/snapshots/portage-20140209.tar.xz' 2>/dev/null | tar tvJ | head -n 10                                                                                                     

54

drwxr-xr-x portage/portage   0 2014-02-10 01:31 portage/                                                             

55

-rw-r--r-- portage/portage 1232 2013-03-05 22:31 portage/skel.metadata.xml                                           

56

drwxr-xr-x portage/portage    0 2014-02-10 01:31 portage/sec-policy/                                                 

57

drwxr-xr-x portage/portage    0 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/

58

-rw-r--r-- portage/portage  448 2012-10-13 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-9999.ebuild

59

-rw-r--r-- portage/portage 10496 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/Manifest

60

-rw-r--r-- portage/portage   476 2013-02-23 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r11.ebuild

61

-rw-r--r-- portage/portage   475 2012-12-13 11:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r8.ebuild

62

-rw-r--r-- portage/portage   475 2013-08-15 09:01 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20130424-r2.ebuild

63

-rw-r--r-- portage/portage   475 2012-10-04 20:31

64

portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r5.ebuild

65

66

For portage's (default-enabled) FEATURES="usersync" to work (dropping

67

privileges when syncing as root), /usr/portage must be writeable by

68

portage:portage. The tree snapshots have not always had this

69

permissions setup, so mature installs would require manual intervention

70

at some point, either updating the permissions or disabling usersync.

71

72

Still, the files are not group-writeable by default, so portage group

73

membership would not be sufficient. I would suggest a solution based on

74

su/sudo, as merely changing the permissions would need to be re-done if

75

the tree is ever synced as root later.

76

77

--

78

eroen

Gentoo Archives: gentoo-user

Attachments

1	On Mon, 10 Feb 2014 14:03:44 -0500, "Walter Dnes"
2	<waltdnes@××××××××.org> wrote:
3	> On Mon, Feb 10, 2014 at 05:09:55PM +0000, Stroller wrote
4	> >
5	> > On Mon, 10 February 2014, at 4:55 pm, Gleb Klochkov
6	> > <glebiuskv@×××××.com> wrote:
7	> >
8	> > > Hi. Try to use sudo with no password for eix-sync.
9	> >
10	> > I'd really rather not. Thanks, though.
11	>
12	> Being in group "portage" is not enough. That merely lets you do
13	> emerges with "--pretend". "emerge --sync" modifies files in
14	> /usr/portage. Files and directories in /usr/portage/ are user:group
15	> root:root. Therefore you NEED root-level permission to modify them.
16	> No ifs/ands/ors/buts. The overall easiest method is to (as root)...
17	> * "emerge sudoers" if it's not installed
18	> * "visudo -f /etc/sudoers.d/001" (or whatever you want to call the
19	> file)
20	> * set up the file. Here's a fragment from my system, with user
21	> "waltdnes" and machine name "i660"
22	> waltdnes i660 = (root) NOPASSWD: /usr/sbin/hibernate
23	> waltdnes i660 = (root) NOPASSWD: /sbin/fdisk -l
24	>
25	> I could manually type the command with sudo, but I'm lazy. In my
26	> /home/waltdnes/bin directory, I have a file "hb"
27	>
28	> #!/bin/bash
29	> sync
30	> sleep 15
31	> sudo /usr/sbin/hibernate
32	>
33	> and file "fdl"
34	>
35	> #!/bin/bash
36	> sudo /sbin/fdisk -l
37	>
38	> To sync the machine, I could add to /etc/sudoers.d/001
39	>
40	> waltdnes i660 = (root) NOPASSWD: /usr/bin/emerge --sync
41	>
42	> and create (as waltdnes) /home/waltdnes/emsy
43	>
44	> #!/bin/bash
45	> /usr/bin/emerge --sync
46	>
47	> For security, I strongly recommend that the full path of the
48	> executable be specified, as well as any options. Do not use the $*
49	> commandline parameter in the sudoers file. It probably works, but is
50	> too wide open.
51	>
52
53	eroen@falcon ~ $ wget -O - 'http://mirrors.eu.kernel.org/gentoo/snapshots/portage-20140209.tar.xz' 2>/dev/null \| tar tvJ \| head -n 10
54	drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/
55	-rw-r--r-- portage/portage 1232 2013-03-05 22:31 portage/skel.metadata.xml
56	drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/sec-policy/
57	drwxr-xr-x portage/portage 0 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/
58	-rw-r--r-- portage/portage 448 2012-10-13 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-9999.ebuild
59	-rw-r--r-- portage/portage 10496 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/Manifest
60	-rw-r--r-- portage/portage 476 2013-02-23 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r11.ebuild
61	-rw-r--r-- portage/portage 475 2012-12-13 11:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r8.ebuild
62	-rw-r--r-- portage/portage 475 2013-08-15 09:01 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20130424-r2.ebuild
63	-rw-r--r-- portage/portage 475 2012-10-04 20:31
64	portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r5.ebuild
65
66	For portage's (default-enabled) FEATURES="usersync" to work (dropping
67	privileges when syncing as root), /usr/portage must be writeable by
68	portage:portage. The tree snapshots have not always had this
69	permissions setup, so mature installs would require manual intervention
70	at some point, either updating the permissions or disabling usersync.
71
72	Still, the files are not group-writeable by default, so portage group
73	membership would not be sufficient. I would suggest a solution based on
74	su/sudo, as merely changing the permissions would need to be re-done if
75	the tree is ever synced as root later.
76
77	--
78	eroen