On Mon, 10 Feb 2014 14:03:44 -0500, "Walter Dnes" <waltd...@waltdnes.org> wrote: > On Mon, Feb 10, 2014 at 05:09:55PM +0000, Stroller wrote > > > > On Mon, 10 February 2014, at 4:55 pm, Gleb Klochkov > > <glebiu...@gmail.com> wrote: > > > > > Hi. Try to use sudo with no password for eix-sync. > > > > I'd really rather not. Thanks, though. > > Being in group "portage" is not enough. That merely lets you do > emerges with "--pretend". "emerge --sync" modifies files in > /usr/portage. Files and directories in /usr/portage/ are user:group > root:root. Therefore you *NEED* root-level permission to modify them. > No ifs/ands/ors/buts. The overall easiest method is to (as root)... > * "emerge sudoers" if it's not installed > * "visudo -f /etc/sudoers.d/001" (or whatever you want to call the > file) > * set up the file. Here's a fragment from my system, with user > "waltdnes" and machine name "i660" > waltdnes i660 = (root) NOPASSWD: /usr/sbin/hibernate > waltdnes i660 = (root) NOPASSWD: /sbin/fdisk -l > > I could manually type the command with sudo, but I'm lazy. In my > /home/waltdnes/bin directory, I have a file "hb" > > #!/bin/bash > sync > sleep 15 > sudo /usr/sbin/hibernate > > and file "fdl" > > #!/bin/bash > sudo /sbin/fdisk -l > > To sync the machine, I could add to /etc/sudoers.d/001 > > waltdnes i660 = (root) NOPASSWD: /usr/bin/emerge --sync > > and create (as waltdnes) /home/waltdnes/emsy > > #!/bin/bash > /usr/bin/emerge --sync > > For security, I strongly recommend that the full path of the > executable be specified, as well as any options. Do not use the $* > commandline parameter in the sudoers file. It probably works, but is > too wide open. >
eroen@falcon ~ $ wget -O - 'http://mirrors.eu.kernel.org/gentoo/snapshots/portage-20140209.tar.xz' 2>/dev/null | tar tvJ | head -n 10 drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/ -rw-r--r-- portage/portage 1232 2013-03-05 22:31 portage/skel.metadata.xml drwxr-xr-x portage/portage 0 2014-02-10 01:31 portage/sec-policy/ drwxr-xr-x portage/portage 0 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/ -rw-r--r-- portage/portage 448 2012-10-13 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-9999.ebuild -rw-r--r-- portage/portage 10496 2014-01-12 21:31 portage/sec-policy/selinux-thunderbird/Manifest -rw-r--r-- portage/portage 476 2013-02-23 18:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r11.ebuild -rw-r--r-- portage/portage 475 2012-12-13 11:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r8.ebuild -rw-r--r-- portage/portage 475 2013-08-15 09:01 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20130424-r2.ebuild -rw-r--r-- portage/portage 475 2012-10-04 20:31 portage/sec-policy/selinux-thunderbird/selinux-thunderbird-2.20120725-r5.ebuild For portage's (default-enabled) FEATURES="usersync" to work (dropping privileges when syncing as root), /usr/portage must be writeable by portage:portage. The tree snapshots have not always had this permissions setup, so mature installs would require manual intervention at some point, either updating the permissions or disabling usersync. Still, the files are not group-writeable by default, so portage group membership would not be sufficient. I would suggest a solution based on su/sudo, as merely changing the permissions would need to be re-done if the tree is ever synced as root later. -- eroen
signature.asc
Description: PGP signature