| View previous topic :: View next topic |
| Author |
Message |
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
 Posted: Sun Apr 26, 2020 8:11 pm Post subject: Portage permissions prevent users execute verbose commands |
 |
|
| Code: |
emerge -pv --depclean
...
Permission denied: '/var/lib/portage/preserved_libs_registry'
|
What has happened lately, that prevents regular users from executing this command?
I remember hitting another issue related to permissions, but didn't recognize if for what it was and forgot it.
| Code: | ls -la /var/lib/portage/preserved_libs_registry
-rw-rw---- 1 root portage 2 Apr 22 00:34 /var/lib/portage/preserved_libs_registry |
Regards,
Georgi |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22912
|
| Posted: Sun Apr 26, 2020 8:24 pm Post subject: |
|
|
| The permissions have nothing to do with the verbose flag here. I don't think that was ever guaranteed to work. It might work if your user is in the portage group, but that has been discouraged for years. |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Sun Apr 26, 2020 8:38 pm Post subject: |
|
|
| It used to work. I haven't made any changes neither to the user, nor to the file itself. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20550
|
| Posted: Sun Apr 26, 2020 9:00 pm Post subject: |
|
|
| Hu wrote: | | The permissions have nothing to do with the verbose flag here. I don't think that was ever guaranteed to work. It might work if your user is in the portage group, but that has been discouraged for years. |
Is there by any chance a list of things that are discouraged? I seem to find out about them from random comments in threads :).
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22912
|
| Posted: Sun Apr 26, 2020 11:03 pm Post subject: |
|
|
logrusx: when did it last work?
I'm not aware of a list. I consider it discouraged based on a warning I once saw that putting your user in the Linux group portage gives all your processes the ability to manipulate some files that are written/trusted by emerge. In the extreme case, a badly behaved process (whether malicious or just malfunctioning) could impact some aspects of Portage configuration, causing surprising or unwanted results the next time root uses emerge to manage the system. The output shown in this thread is one example: anyone in the Portage group can rewrite that list, which could mislead Portage into preserving a library it should not, or not preserving a library it should. If you trust everything you run, adding your user to the group portage should be fine. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20550
|
| Posted: Sun Apr 26, 2020 11:15 pm Post subject: |
|
|
| Hu wrote: | | If you trust everything you run, adding your user to the group portage should be fine. |
lol, thanks. I'll remedy that sooner than later.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Apr 26, 2020 11:33 pm Post subject: |
|
|
The alternative is to always run "su root" immediately on login, ala Windows.
If you can't trust your software, don't run it! The permission system is their so that everyone doesn't have to become root. It's about trusted users, not trusted hardware. |
|
| Back to top |
|
|
asturm
Developer
Joined: 05 Apr 2007
Posts: 9320
|
| Posted: Sun Apr 26, 2020 11:40 pm Post subject: |
|
|
That's not something I remember doing in Windows.
Why would you do that? The overwhelming amount of tasks in your session will not require root priviledges, and we don't just login to update Portage. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22912
|
| Posted: Mon Apr 27, 2020 12:28 am Post subject: |
|
|
I make it a point not to trust my processes much more than necessary. It would be nice if I could say that I only run things I trust completely, but I don't have nearly the time to audit everything to the required level of detail. If I did, I'd be scoring all the bug bounties from browser vendors.  To me, the existence of bugs that warrant CVEs justifies spending some effort confining the damage that those bugs can do, because I can't assume that I will always get the bug patched before an exploit is turned loose in the wild. I can't say I have everything confined to do exactly what it should and nothing more, but I can say that what I have is better than nothing. Perfect confinement is too much trouble to maintain.
I run my browser in a jail, so it has a very limited view of my home directory, and no ability to escalate to root. When I want my browser to read a file, I expose that file in the jail. I run some of my shells with the no-new-privileges flag set, so those shells cannot usefully run /bin/su. When I want to su, I open or switch to a shell that is not constrained to no-new-privileges. When I build code outside of Portage, I run the build system confined so that an errant /bin/rm -rf cannot trash anything I would find it difficult to replace. I don't expect that the people who write the programs that I run are out to cause me trouble, but I do believe that some of them are in too much of a hurry for me to reasonably expect they will always get everything right. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Mon Apr 27, 2020 12:36 am Post subject: |
|
|
| asturm wrote: | | That's not something I remember doing in Windows. |
it's automatic when you establish your username as administrator as most people do in a home environment. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Mon Apr 27, 2020 12:46 am Post subject: |
|
|
| asturm wrote: | | Why would you do that? The overwhelming amount of tasks in your session will not require root privileges, and we don't just login to update Portage. |
Aside from web browsing and e-mail, it's about all I do on my Gentoo boxes. Except for the one I do development on. and even there I'm often doing "su root" to work on my private ebuilds.
Right now I'm on Windows, waiting for a recording to finish. there is a Linux version of the software that I've tested and am building a standalone box from new drives, new power supply and old motherboard for. It's extremely lightweight.
SageTV for Linux
One of the things that drove me crazy on Ubuntu was prefoxing every command with "sudo" |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Tue Apr 28, 2020 9:35 am Post subject: |
|
|
| Hu wrote: | logrusx: when did it last work?
|
Honestly, I can't remember. Since that virus thing has numbed the world, I lost track of time. Maybe two months ago. There were 2 or 3 portage updates just the last few weeks. I guess it's happened somewhere around them. Before that I hadn't updated for a while.
And I sure haven't had my user in portage group.
Regards,
Georgi |
|
| Back to top |
|
|
ff11
l33t
Joined: 10 Mar 2014
Posts: 664
|
| Posted: Tue Apr 28, 2020 11:31 am Post subject: |
|
|
| logrusx wrote: | | Hu wrote: | logrusx: when did it last work?
|
Honestly, I can't remember. Since that virus thing has numbed the world, I lost track of time. Maybe two months ago. There were 2 or 3 portage updates just the last few weeks. I guess it's happened somewhere around them. Before that I hadn't updated for a while.
And I sure haven't had my user in portage group.
Regards,
Georgi |
Just for information, today with my system updated ( 2020/04/28 ):
| Code: | $ ls -la /var/lib/portage/preserved_libs_registry
-rw-rw---- 1 root portage 3 Apr 26 20:28 /var/lib/portage/preserved_libs_registry
$ cat /var/lib/portage/preserved_libs_registry
cat: /var/lib/portage/preserved_libs_registry: Permission denied
$ emerge -pv --depclean
...
>>> No packages selected for removal by depclean
Packages installed: 1190
Packages in world: 238
Packages in system: 43
Required packages: 1190
Number to remove: 0
|
I have removed the user from portage group too (thanks Hu).
But then, I have remembered why my user was on portage group: to use the ebuild command without root (it can be scary to test and make new ebuilds).
asturm,
do you know one better way to use ebuild command without root? without been on portage group too, or do i need to make one patch?
_________________
| Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Tue Apr 28, 2020 2:11 pm Post subject: |
|
|
I believe something has changes and the file is not deleted anymore, but left empty. Most certainly I had a few preserved libs before the last update. After I deleted the file, the command completes successfully.
Regards,
Georgi |
|
| Back to top |
|
|
ff11
l33t
Joined: 10 Mar 2014
Posts: 664
|
| Posted: Tue Apr 28, 2020 7:44 pm Post subject: |
|
|
| logrusx wrote: | I believe something has changes and the file is not deleted anymore, but left empty. Most certainly I had a few preserved libs before the last update. After I deleted the file, the command completes successfully.
Regards,
Georgi |
Well, if you are happy with this, then just edit the first post to add "[solved]" to the title.
By the way, i'm using this ugly patch now:
/etc/portage/patches/sys-apps/portage/nogid_portage.patch
| Code: | *** a/lib/portage/util/__init__.py 2020-02-14 21:19:02.000000000 -0300
--- b/lib/portage/util/__init__.py 2020-04-28 16:06:00.068879114 -0300
***************
*** 1084,1089 ****
--- 1084,1091 ----
# Since Python 3.4, chown requires int type (no proxies).
uid = int(uid)
gid = int(gid)
+ if "NO_GID" in os.environ:
+ gid = -1
if stat_cached is None:
stat_cached = _do_stat(filename, follow_links=follow_links)
|
so i can use the ebuild command on user side without been on portage group (with NO_GID=""). It's ugly, but works for now.
_________________
| Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Tue Apr 28, 2020 8:31 pm Post subject: |
|
|
| ff11 wrote: |
Well, if you are happy with this, then just edit the first post to add "[solved]" to the title.
|
The reason I posted this is because it seems like unintentional change. I myself don't know how to check it for myself. I don't know python. Maybe I could also find my way through commit messages, but that seems too big of a trouble.
Regards,
Georgi |
|
| Back to top |
|
|
ff11
l33t
Joined: 10 Mar 2014
Posts: 664
|
| Posted: Tue Apr 28, 2020 9:00 pm Post subject: |
|
|
| logrusx wrote: | | ff11 wrote: |
Well, if you are happy with this, then just edit the first post to add "[solved]" to the title.
|
The reason I posted this is because it seems like unintentional change. I myself don't know how to check it for myself. I don't know python. Maybe I could also find my way through commit messages, but that seems too big of a trouble.
Regards,
Georgi |
Well, you are thinking wrong about this.
The correct way is that you don't have permission to use "/var/lib/portage/preserved_libs_registry" if you aren't on the portage group. That's it, portage will not do some magic. And if it worked that way before, then it was one bug that got fixed.
So the way that it works now is the correct way. And if you want, you can add your user to portage group and be happy.
_________________
| Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Wed Apr 29, 2020 6:07 pm Post subject: |
|
|
| ff11 wrote: | | logrusx wrote: | | ff11 wrote: |
Well, if you are happy with this, then just edit the first post to add "[solved]" to the title.
|
The reason I posted this is because it seems like unintentional change. I myself don't know how to check it for myself. I don't know python. Maybe I could also find my way through commit messages, but that seems too big of a trouble.
Regards,
Georgi |
Well, you are thinking wrong about this.
The correct way is that you don't have permission to use "/var/lib/portage/preserved_libs_registry" if you aren't on the portage group. That's it, portage will not do some magic. And if it worked that way before, then it was one bug that got fixed.
So the way that it works now is the correct way. And if you want, you can add your user to portage group and be happy. |
Can you point me to a specification or something? Because /var/lib/portage/{world,world_sets} are marked o+r. |
|
| Back to top |
|
|
ff11
l33t
Joined: 10 Mar 2014
Posts: 664
|
| Posted: Wed Apr 29, 2020 6:35 pm Post subject: |
|
|
| logrusx wrote: | | Can you point me to a specification or something? Because /var/lib/portage/{world,world_sets} are marked o+r. |
I'm talking about the behavior of the permission file (if it have changed by the portage, then it's intentional, because you have to code more lines to do it).
Sure, you can give the permission to read it using o+r too. Maybe you want to do it with the logs too (/var/log/emerge*).
But, sorry, I fail to understand what do are trying to do here now. If you wanna call the attention of gentoo devs that make changes in the portage code, then you should be on something like https://bugs.gentoo.org or like on the #gentoo-dev freenode IRC (they rarely show up here on the forum).
_________________
| Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Wed Apr 29, 2020 6:49 pm Post subject: |
|
|
| I'm trying to clarify the situation. Can you point to something that can help? |
|
| Back to top |
|
|
ff11
l33t
Joined: 10 Mar 2014
Posts: 664
|
| Posted: Wed Apr 29, 2020 7:01 pm Post subject: |
|
|
| logrusx wrote: | | I'm trying to clarify the situation. Can you point to something that can help? |
Again, sorry, i can't understand what situation you are talking about here now.
The situation of the file permission should be already clear, and the possibility of the add your user to portage group too (to solve the problem). You can use your command.
If you want someone here on the forum to track changes to the portage code just out of curiosity, then you better look for developers who work with the code on the IRC (i think i made it clear too).
So, could you tell this dumb one here, what situation are you talking about?
_________________
| Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Wed Apr 29, 2020 7:46 pm Post subject: |
|
|
You've already shared your opinion, you don't need to repeat it over and over again. Could you please stop doing that?
Regards,
Georgi |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20550
|
| Posted: Wed Apr 29, 2020 8:10 pm Post subject: |
|
|
| ff11 wrote: | Just for information, today with my system updated ( 2020/04/28 ):
| Code: | $ ls -la /var/lib/portage/preserved_libs_registry
-rw-rw---- 1 root portage 3 Apr 26 20:28 /var/lib/portage/preserved_libs_registry
$ cat /var/lib/portage/preserved_libs_registry
cat: /var/lib/portage/preserved_libs_registry: Permission denied
$ emerge -pv --depclean
...
>>> No packages selected for removal by depclean
Packages installed: 1190
Packages in world: 238
Packages in system: 43
Required packages: 1190
Number to remove: 0
|
I have removed the user from portage group too (thanks Hu). |
| ff11 wrote: | Well, you are thinking wrong about this.
The correct way is that you don't have permission to use "/var/lib/portage/preserved_libs_registry" if you aren't on the portage group. That's it, portage will not do some magic. And if it worked that way before, then it was one bug that got fixed.
So the way that it works now is the correct way. And if you want, you can add your user to portage group and be happy. |
So what "fixed" it? You didn't receive the error. I also removed myself from the portage group, and I'm not seeing the error. So something changed, somewhere, and it has not been demonstrated why it would be a file permrissions issue only on logrusx' system.
@logrusx,
What version of portage are you using? I'm using portage-2.3.89-r3.
This is unlikely, but what is the output of: /usr/bin/sudo /usr/bin/lsattr /var/lib/portage/preserved_libs_registry?
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
ff11
l33t
Joined: 10 Mar 2014
Posts: 664
|
| Posted: Wed Apr 29, 2020 8:15 pm Post subject: |
|
|
| pjp wrote: | | ff11 wrote: | Just for information, today with my system updated ( 2020/04/28 ):
| Code: | $ ls -la /var/lib/portage/preserved_libs_registry
-rw-rw---- 1 root portage 3 Apr 26 20:28 /var/lib/portage/preserved_libs_registry
$ cat /var/lib/portage/preserved_libs_registry
cat: /var/lib/portage/preserved_libs_registry: Permission denied
$ emerge -pv --depclean
...
>>> No packages selected for removal by depclean
Packages installed: 1190
Packages in world: 238
Packages in system: 43
Required packages: 1190
Number to remove: 0
|
I have removed the user from portage group too (thanks Hu). |
| ff11 wrote: | Well, you are thinking wrong about this.
The correct way is that you don't have permission to use "/var/lib/portage/preserved_libs_registry" if you aren't on the portage group. That's it, portage will not do some magic. And if it worked that way before, then it was one bug that got fixed.
So the way that it works now is the correct way. And if you want, you can add your user to portage group and be happy. |
So what "fixed" it? You didn't receive the error. I also removed myself from the portage group, and I'm not seeing the error. So something changed, somewhere, and it has not been demonstrated why it would be a file permrissions issue only on logrusx' system.
@logrusx,
What version of portage are you using? I'm using portage-2.3.89-r3.
This is unlikely, but what is the output of: /usr/bin/sudo /usr/bin/lsattr /var/lib/portage/preserved_libs_registry? |
Well, the message of error is only when emerge need to read "/var/lib/portage/preserved_libs_registry" without permission. That according to the initial proposition, it worked previously, but not now. And for me, that would be a bug that has been fixed.
EDIT: to reproduce, maybe you need to force some to populate the "/var/lib/portage/preserved_libs_registry" first, i guess.
_________________
| Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2548
|
| Posted: Wed Apr 29, 2020 8:24 pm Post subject: |
|
|
| pjp wrote: | @logrusx,
What version of portage are you using? I'm using portage-2.3.89-r3.
This is unlikely, but what is the output of: /usr/bin/sudo /usr/bin/lsattr /var/lib/portage/preserved_libs_registry? |
Portage version is the same as yours. I can't run lsattr on /var/lib/portage/preserved_libs_registry, because since I saw it was empty, I deleted it.
I see things this two ways:
1) it hasn't been kept empty, but deleted in the past, once preserved libs has been successfully rebuilt, or
2) the permissions it has been created with by portage have been changed at a certain point in time.
But, if only the permissions changed, this means it must have been created after that point in time, or it would have preserved the old permissions otherwise. And if the permissions didn't change, and the file was kept in the past, then emerge -pv --depclean wouldn't have worked as regular user in the past.
Regards,
Georgi |
|
| Back to top |
|
|
|
Portage & Programming
