On Fri, 6 Apr 2018 14:49:52 -0700 Ross Vandegrift <r...@kallisti.us> said:
> On Fri, Apr 06, 2018 at 11:28:58AM -0400, William L. Thomson Jr. wrote: > > On Fri, 6 Apr 2018 14:10:51 +0900 Carsten Haitzler (The Rasterman) > > <ras...@rasterman.com> wrote: > > > limiting your sandbox from > > > accessing XDG_RUNTIME_DIR is probably a very bad idea, because this > > > is the standard "xdg" location for any run-time files. sockets or any > > > other relevant "only around during runtime of a users log in session" > > > files (thus they are not expected to persist and this dir and it not > > > shared between users etc.) :) > > Well, it's not quite that simple during package builds. Debian has a > similar policy because users may build packages outside of a chroot. > If the build process writes outside of the build dir, this could mess > with their real home dirs. > > I imagine the Gentoo motivation is the same. > > > This is during build, nothing is running. Also this violates Gentoo > > distro specific build policies. > > > > "All packages must build correctly when sandbox is active. " > > https://devmanual.gentoo.org/general-concepts/sandbox/ > > Solution is to run WITH XDG_RUNTIME_DIR and HOME set to a temp dir: > https://sources.debian.org/src/efl/1.20.7-4/debian/fake_home.sh/ > > Example use: > https://sources.debian.org/src/efl/1.20.7-4/debian/rules/#L62 > > > Seems like something does need to be fixed. > > Yes - the build environment! indeed. don't tell apps to use a dir you then forbid them access to when that dir is explicitly specced to exist for the purposes of having write access to to create sockets, etc. :) the build env, if it is going to implement a sandbox (and nothing wrong with the idea at all - a good one if your regularly build untrusted code), should ensure it is not being inconsistent like this. -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- Carsten Haitzler - ras...@rasterman.com ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel