On 16/09/2015 04:19, james wrote: > Fernando Rodriguez <frodriguez.developer <at> outlook.com> writes: > > >>> Here, all of /etc/portage is root:root > > This is what I have except for distfiles:: > drwxrwxr-x 5 root portage 232K Sep 14 23:00 distfiles > > root.portage ??? I guess portage does that. Fernando's explaination > seem plausible, I guess I'd have to look at the code (not today) > but this just seems strange to me that sys-apps/portage would do this...
It's a valid technique. Root owns stuff and members of the portage group can write distfiles. You can get the same effect with root:root and making yourself a member of the root group, but that's over-reaching and unwise > >>> The tree and all overlays are portage:portage > > Mine are root.root but no harm, right? I guess I could change them > recursively to portage:portage but why, if portage is just going > to do what it wants anyway. No harm as long as all writes are done by root. You might not want that. Forcing all writes to be done by root can open more security risks than it closes, doubly so when the writes are something you intend to do often. > > > >>> You can make a local overlay owned by user you want, stuff you hack away >>> at yourself should probably be james:james or james:users > > Yea, I gonna think about /usr/local/portage. I see the convenience of > your suggestion, but I have always had most everthing portage:portage. > I cannot remember why though..... How long you been using gentoo? 5-10 years? That was the default install settings for most of portage's lifetime. > >>> >>> Typically, permissions in /etc/portage are the usual 755 for dirs and >>> 644 for files >>> >>> I set overlays and the tree to be 2775 for dirs and 664 for files > > Yea, I have just let portage do what it wants and never really thought > about it before. This seem reasonable. > > >>> Permissions should be what YOU need them to be on your computer. There's >>> a default, it's what portage makes them when you install stuff > > yep, it makes sense that sys-apps/portage is the master of these files, > I just never thought about it much before. > > >>> Only root should change the master config files in /etc, just like in >>> all other apps IIRC emerge can drop privs to a user account, if that >>> user is portage then portage must own the files > > Ah. makes sense. > >> >> It is true that portage drops privileges to the portage account (unless the >> ebuild has RESTRICT="userpriv" or I think FEATURES="-userpriv" on make.conf) > > Nope these are not set on my make.conf (600) on permissions). > >> but it doesn't need to write to the portage tree except to the distfiles >> directory so I don't know of any reason to have everything owned by >> portage:portage if the perms are 755/644. > > Ah, this is whay my distfiles is root:portage.....? > >> >> Mine is owned by root:root because it got borked one time after a sync so I >> deleted it and copied from another box manually. The only problem I ever had >> is that a fetch failed, and I just chowned the distfiles dir to > portage:portage >> to fix it. Only recently it was pointed to me on this list that it was > supposed >> to be portage:portage. I never changed it back to portage:portage but I > made a >> mental note not to forget about it in case of trouble, that way I'll learn > why >> that's the default if/when something breaks :) Besides it offers some > (limited) >> protection against an ebuild accidentally writing to your portage tree. > > Interesting. I guess I could look at the code but everything is working > fine. > > >>>> In my /usr/local/portage and it's subdirs where I hack on many >>>> ebuild, portage.portage owns everything.....? >>> >>> Make your life easy, chaown that stuff to james >> >> I personally prefer root:root because I think it is more secure. If you let >> somebody use your account even for a minute s/he could modify an ebuild >> without a password to install whatever s/he wants next time you run an >> update. > > I like Alan's simplicity. I also like root:root, like my /usr/portage, > but most of it is portage:portage, and that I did do. I just cant > remember why. > > usr/local/portage/ is the one I need to think about. Here's what I suggest: You're doing a lot of hacking on ebuilds. Make a local overlay in ~ and have it owned by james:james, mode 644, just like all other code you'd keep in ~. Add that local repo to repos.conf/, leave the main portage dirs and external overlays as they are and hack away on clustering stuff to your heart's content > > Thanks for the feedback guys, > James > > > > > -- Alan McKinnon alan.mckin...@gmail.com
