I like security... which means I should be able to run portage as portage (user) and have the umask be 077, or perhaps 027. Unfortunately the last time I checked portage could handle these restrictive permissions (I forget if it was these exactly) except for one set... java. In a perfect ebuild world all ebuilds would be able to be installed under a very restrictive umask.
Should regen2 ever come to fruition this should be fixed.
Subscribe to:
Post Comments (Atom)
4 comments:
I like this too, but what I'd REALLY like to see (in addition to this) is the ability to set the group ownership for the files installed by certain packages, that way you could (for example) have all media-video packages installed only be executable by those in the video group.
Anyways I believe there was talk of this before, but the underlying utils (automake and such) didn't support it.
Still, it should be possible to change the perms on the files after a successful compile and make install, but before the package is merged to the live filesystem...
sounds like a good idea. I don't see why it couldn't be possible. I think the group permissions are the least understood generally available security feature.
it's why in some distro's you user has his own group by default. In many distro's your home directory would otherwise be readable by any user. 077 and 027 umasks should be easy to accomplish there is very rarely a need to give everyone read/execute perms.
Hmmm, I just did a little poking around in a chroot I'm playing with, and in /etc/make.globals I noticed for the first time a pair of variables;
PORTAGE_INST_UID="0"
PORTAGE_INST_GID="0"
I tested a little, and files installed in any of the bin direcories (both ONLY these files...) actually inherit the UID/GID set in these variables.
Of course, it's kinda useless without disabling o+rx, but it shows there is hope...
Think I'll poke around the portage scripts to see where it's done, and how easy it would be to extend.
I wish I knew python...
Holy crap...
Those permissions are applied in the VERY simple dobin and dosbin bash scripts, it literally just uses the following;
install -m0755 -o ${PORTAGE_INST_UID:-0} -g ${PORTAGE_INST_GID:-0} "${x}" "${D}${DESTTREE}/bin"
Change the -m0755 to -m0750, and the executables are now only runnable by members of the file's group, which is whatever you've set PORTAGE_INST_GID to.
Just use `equery -q f PACKAGE | xargs ls -ld` to verify
It should be pretty easy to add variables to control those permissions, and then you can use /etc/portage/env to set custom user:group owners and permissions on a per-package basis...
Post a Comment