On 11/02/2014 01:23, Walter Dnes wrote:
On Tue, Feb 11, 2014 at 12:28:43AM +0000, Kerin Millar wrote
On 10/02/2014 23:57, Walter Dnes wrote:
What's the point, if you still have to run as root (or su or sudo) for
the emerge update process?
It's the principle of least privilege. Is there any specific reason for
portage to fork and exec rsync as root? Is rsync sandboxed? Should rsync
have unfettered read/write access to all mounted filesystems? Can it be
guaranteed that rsync hasn't been compromised? Can it be guaranteed that
PORTAGE_RSYNC_OPTS will contain safe options at all times?
The answer to all of these questions is "no". Basically, the combination
of usersync and non-root ownership of PORTDIR hardens the process in a
sensible way while conferring no disadvantage.
If /usr/portage is owned by portage:portage, then wouldn't a user
(member of portage) be able to do mischief by tweaking ebuilds? E.g.
modify an ebuild to point to a tarball located on a usb stick, at
http://127.0.0.1/media/sdc1/my_tarball.tgz. This would allow a local
user to supply code that gets built and then installed in /usr/bin, or
/sbin, etc.
Yes, but only if the group write bit is set throughout PORTDIR. By
default, rsync - as invoked by portage - preserves the permission bits
from the remote and the files stored by the mirrors do not have this bit
set.
What I have described elsewhere is a method for ensuring that the group
write bit is set. In that case, your concern is justified; you would
definitely not want to grant membership of the portage group to anyone
that you couldn't trust in this context.
--Kerin
