On 11/02/2014 03:23, Walter Dnes wrote: > On Tue, Feb 11, 2014 at 12:28:43AM +0000, Kerin Millar wrote >> On 10/02/2014 23:57, Walter Dnes wrote: >>> >>> What's the point, if you still have to run as root (or su or sudo) for >>> the emerge update process? >> >> It's the principle of least privilege. Is there any specific reason for >> portage to fork and exec rsync as root? Is rsync sandboxed? Should rsync >> have unfettered read/write access to all mounted filesystems? Can it be >> guaranteed that rsync hasn't been compromised? Can it be guaranteed that >> PORTAGE_RSYNC_OPTS will contain safe options at all times? >> >> The answer to all of these questions is "no". Basically, the combination >> of usersync and non-root ownership of PORTDIR hardens the process in a >> sensible way while conferring no disadvantage. > > If /usr/portage is owned by portage:portage, then wouldn't a user > (member of portage) be able to do mischief by tweaking ebuilds? E.g. > modify an ebuild to point to a tarball located on a usb stick, at > http://127.0.0.1/media/sdc1/my_tarball.tgz. This would allow a local > user to supply code that gets built and then installed in /usr/bin, or > /sbin, etc. >
Yes, you can do that. You can also rm with gainful abandon all over the place and wreak havoc like that. There are many attack vectors involving user doing dumb things, and no software is ever going to deal fully with user stupidity or mischief. Modifying an ebuild is no difference attack-wise to putting it in a local overlay, and you can already do that. What software security attempts to provide you is protection against unexpected side-effects like a malformed path (eg unquoted spaces) in an rm statement run as root, or bad guys out there banging on the door. Once an attacker can run yoru shell, it's basically game over at that point wrt security and just a matter of time. So you have a choice between syncing as a regular user or syncing as root, there are pros and cons to each. Experience shows that in the general case the former offers more and better protection. But, if the latter really does suit your specific needs, then you have the choice to do it that way. You don't *have* to follow recommendations in man pages at all, but it's highly recommended you be well informed when making your personal choice. -- Alan McKinnon alan.mckin...@gmail.com