Enable userpriv by default? Support RESTRICT=userpriv? Interaction with prefix in EAPI 3?
Peter Hjalmarsson posted on Fri, 11 Dec 2009 23:46:07 +0100 as excerpted:
> fre 2009-12-11 klockan 12:11 -0800 skrev Zac Medico:
>> Should we enable FEATURES=userpriv by default? If we do that then do we
>> also need to support RESTRICT=userpriv? Maybe RESTRICT=userpriv should
>> not be supported on the grounds that it is never justified? What about
>> prefix support (in EAPI 3), which often doesn't have root privileges?
> That would be problematic for hardened, as they set the permission for
> /usr/src/* to root only.
Wouldn't setting it as its own user, say kernelcomp, and su/sudoing to
that before dealing with the kernel sources, be better? Kernel docs have
long said don't compile sources as root, tho obviously for installing
them you normally need to be root.
FWIW, my (non-gentoo-related) kernel scripts use a non-root user, tho
it's my normal admin user (not my user user) that has blanket sudo
without password permission, but it could be a dedicated one just as
easily. I'd expect hardened to be even more particular about compiling
as root, tho I see why general access isn't allowed. But dedicated user
Even if that's done, however, it'll take some time to update and test.
But it could be made the default before that, and hardened could set its
own default elsewise.
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman