1 |
On Mon, 10 Feb 2014 14:03:44 -0500, "Walter Dnes" |
2 |
<waltdnes@××××××××.org> wrote: |
3 |
> On Mon, Feb 10, 2014 at 05:09:55PM +0000, Stroller wrote |
4 |
> > |
5 |
> > On Mon, 10 February 2014, at 4:55 pm, Gleb Klochkov |
6 |
> > <glebiuskv@×××××.com> wrote: |
7 |
> > |
8 |
> > > Hi. Try to use sudo with no password for eix-sync. |
9 |
> > |
10 |
> > I'd really rather not. Thanks, though. |
11 |
> |
12 |
> Being in group "portage" is not enough. That merely lets you do |
13 |
> emerges with "--pretend". "emerge --sync" modifies files in |
14 |
> /usr/portage. Files and directories in /usr/portage/ are user:group |
15 |
> root:root. Therefore you *NEED* root-level permission to modify them. |
16 |
> No ifs/ands/ors/buts. The overall easiest method is to (as root)... |
17 |
> * "emerge sudoers" if it's not installed |
18 |
> * "visudo -f /etc/sudoers.d/001" (or whatever you want to call the |
19 |
> file) |
20 |
> * set up the file. Here's a fragment from my system, with user |
21 |
> "waltdnes" and machine name "i660" |
22 |
> waltdnes i660 = (root) NOPASSWD: /usr/sbin/hibernate |
23 |
> waltdnes i660 = (root) NOPASSWD: /sbin/fdisk -l |
24 |
> |
25 |
> I could manually type the command with sudo, but I'm lazy. In my |
26 |
> /home/waltdnes/bin directory, I have a file "hb" |
27 |
> |
28 |
> #!/bin/bash |
29 |
> sync |
30 |
> sleep 15 |
31 |
> sudo /usr/sbin/hibernate |
32 |
> |
33 |
> and file "fdl" |
34 |
> |
35 |
> #!/bin/bash |
36 |
> sudo /sbin/fdisk -l |
37 |
> |
38 |
> To sync the machine, I could add to /etc/sudoers.d/001 |
39 |
> |
40 |
> waltdnes i660 = (root) NOPASSWD: /usr/bin/emerge --sync |
41 |
> |
42 |
> and create (as waltdnes) /home/waltdnes/emsy |
43 |
> |
44 |
> #!/bin/bash |
45 |
> /usr/bin/emerge --sync |
46 |
> |
47 |
> For security, I strongly recommend that the full path of the |
48 |
> executable be specified, as well as any options. Do not use the $* |
49 |
> commandline parameter in the sudoers file. It probably works, but is |
50 |
> too wide open. |
51 |
> |
52 |
|
53 |
eroen@falcon ~ $ wget -O - 'http://mirrors.eu.kernel.org/gentoo/snapshots/portage-20140209.tar.xz' 2>/dev/null | tar tvJ | head -n 10 |
54 |
drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/ |
55 |
-rw-r--r-- portage/portage 1232 2013-03-05 22:31 portage/skel.metadata.xml |
56 |
drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/sec-policy/ |
57 |
drwxr-xr-x portage/portage 0 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/ |
58 |
-rw-r--r-- portage/portage 448 2012-10-13 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-9999.ebuild |
59 |
-rw-r--r-- portage/portage 10496 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/Manifest |
60 |
-rw-r--r-- portage/portage 476 2013-02-23 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r11.ebuild |
61 |
-rw-r--r-- portage/portage 475 2012-12-13 11:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r8.ebuild |
62 |
-rw-r--r-- portage/portage 475 2013-08-15 09:01 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20130424-r2.ebuild |
63 |
-rw-r--r-- portage/portage 475 2012-10-04 20:31 |
64 |
portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r5.ebuild |
65 |
|
66 |
For portage's (default-enabled) FEATURES="usersync" to work (dropping |
67 |
privileges when syncing as root), /usr/portage must be writeable by |
68 |
portage:portage. The tree snapshots have not always had this |
69 |
permissions setup, so mature installs would require manual intervention |
70 |
at some point, either updating the permissions or disabling usersync. |
71 |
|
72 |
Still, the files are not group-writeable by default, so portage group |
73 |
membership would not be sufficient. I would suggest a solution based on |
74 |
su/sudo, as merely changing the permissions would need to be re-done if |
75 |
the tree is ever synced as root later. |
76 |
|
77 |
-- |
78 |
eroen |