FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 12-11-2009, 07:11 PM
Zac Medico
 
Default Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

Should we enable FEATURES=userpriv by default? If we do that then do
we also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv
should not be supported on the grounds that it is never justified?
What about prefix support (in EAPI 3), which often doesn't have root
privileges?
--
Thanks,
Zac
 
Old 12-11-2009, 08:58 PM
justin
 
Default Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

On 11/12/09 21:11, Zac Medico wrote:
> Should we enable FEATURES=userpriv by default? If we do that then do
> we also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv
> should not be supported on the grounds that it is never justified?
> What about prefix support (in EAPI 3), which often doesn't have root
> privileges?

FEATURES=userpriv has problems with distcc. I think it is only when used
in combination with pump mode but there I am not sure.
 
Old 12-11-2009, 09:06 PM
Zac Medico
 
Default Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

justin wrote:
> FEATURES=userpriv has problems with distcc. I think it is only when used
> in combination with pump mode but there I am not sure.

That can be fixed, right? How about after it's fixed?
--
Thanks,
Zac
 
Old 12-11-2009, 09:46 PM
Peter Hjalmarsson
 
Default Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

fre 2009-12-11 klockan 12:11 -0800 skrev Zac Medico:
> Should we enable FEATURES=userpriv by default? If we do that then do
> we also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv
> should not be supported on the grounds that it is never justified?
> What about prefix support (in EAPI 3), which often doesn't have root
> privileges?

That would be problematic for hardened, as they set the permission
for /usr/src/* to root only.
 
Old 12-12-2009, 12:03 AM
Duncan
 
Default Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

Peter Hjalmarsson posted on Fri, 11 Dec 2009 23:46:07 +0100 as excerpted:

> fre 2009-12-11 klockan 12:11 -0800 skrev Zac Medico:
>> Should we enable FEATURES=userpriv by default? If we do that then do we
>> also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv should
>> not be supported on the grounds that it is never justified? What about
>> prefix support (in EAPI 3), which often doesn't have root privileges?
>
> That would be problematic for hardened, as they set the permission for
> /usr/src/* to root only.

Wouldn't setting it as its own user, say kernelcomp, and su/sudoing to
that before dealing with the kernel sources, be better? Kernel docs have
long said don't compile sources as root, tho obviously for installing
them you normally need to be root.

FWIW, my (non-gentoo-related) kernel scripts use a non-root user, tho
it's my normal admin user (not my user user) that has blanket sudo
without password permission, but it could be a dedicated one just as
easily. I'd expect hardened to be even more particular about compiling
as root, tho I see why general access isn't allowed. But dedicated user
seems good.

Even if that's done, however, it'll take some time to update and test.
But it could be made the default before that, and hardened could set its
own default elsewise.

--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
 
Old 12-12-2009, 12:31 AM
Justin Lecher
 
Default Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?

Zac Medico wrote:
> That can be fixed, right?

I don't know. I seems that the process cannot get the socket as user:

distcc[16297] ERROR: failed to connect to UNIX-DOMAIN /tmp/distcc-pump.HyIaX8/socket: Permission denied
distcc[16297] (dcc_build_somewhere) Warning: failed to get includes from include server, preprocessing locally

But this is the only problem I ever had with it.
 

Thread Tools




All times are GMT. The time now is 07:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org