| View previous topic :: View next topic |
| Author |
Message |
NichtDerHans
Apprentice
Joined: 27 Jan 2023
Posts: 193
|
 Posted: Fri Mar 07, 2025 7:42 am Post subject: Handling a local overlay and ebuilds as user |
 |
|
Hello my Friends, I am not Hans
I would like to create an overlay in “/home/username/gentoooverlay”, which I can use normally with “emerge” (as root). But handle it as a user.
I read this one: https://wiki.gentoo.org/wiki/Creating_an_ebuild_repository
I want to be able to create and edit the ebuilds as a user and prepare them with “pkgdev” and “pkgcheck”. Only the installation with “emerge” should be done as root.
How do I have to proceed?
Have a very nice sunny day |
|
| Back to top |
|
 |
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31525
Location: here
|
| Posted: Fri Mar 07, 2025 7:54 am Post subject: |
|
|
Your overlay can be in your home and have user rights. What you need to do is add your user to the portage group so you can write to both ${DISTDIR} and ${PORTAGE_TMPDIR}/portage.
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2812
|
| Posted: Fri Mar 07, 2025 8:28 am Post subject: |
|
|
| fedeliallalinea wrote: | | What you need to do is add your user to the portage group |
Not a good idea. This is effectively making your user root.
I gave up on the idea of managing my overlay as a user. Too much back and fourth and too much space for errors and misses. I now do my development directly in /var/db/repos as root whenever I need to.
The perks of using a regular user without making it effectively root by adding it to portage group are manually downloading distfiles as root as well as manually copying ebuilds, manifests what not or pushing to github first and then syncing. This opens space for mistakes and errors.
Better do it as root directly in your repo and push to GitHub from there. Also set `auto-sync = no` for it so that eix/emerge/emaint don't sync it unnecessary. And also keep the repo config in a separate file so that eselect-repository doesn't mess with it.
Best Regards,
Georgi |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31525
Location: here
|
| Posted: Fri Mar 07, 2025 9:02 am Post subject: |
|
|
| logrusx wrote: | | Not a good idea. This is effectively making your user root. |
Why?
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2812
|
| Posted: Fri Mar 07, 2025 9:42 am Post subject: |
|
|
| fedeliallalinea wrote: | | logrusx wrote: | | Not a good idea. This is effectively making your user root. |
Why? |
I don't exactly know. I've seen more knowledgeable folks I trust recommend against it. It was one of the devs, but I don't remember who.
Best Regards,
Georgi |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31525
Location: here
|
| Posted: Fri Mar 07, 2025 10:02 am Post subject: |
|
|
| logrusx wrote: | | I don't exactly know. I've seen more knowledgeable folks I trust recommend against it. It was one of the devs, but I don't remember who. |
These are the files/directories with write access with the portage group:
| Code: | # find / -group portage -perm -g+w -not -path "/home/*"
/tmp/portage
/var/tmp/portage
/var/cache/eix/*
/var/cache/edb/dep/{var,home}
/var/cache/distfiles/*
/var/log/sandbox
/var/log/emerge.log
/var/log/emerge-fetch.log
/var/log/portage
/var/log/portage/elog
/var/log/portage/elog/summary.log
/var/lib/gentoo/news
/var/lib/gentoo/news/news-gentoo.unread
/var/lib/gentoo/news/news-gentoo.skip
/var/lib/gentoo/news/news-gentoo.read
/var/lib/pfl
/var/lib/portage/config
/var/lib/portage/repo_revisions
/var/lib/portage/preserved_libs_registry
/var/lib/portage/home/.wget-hsts |
I don't seem to see any critical files, but I could be wrong due my lack of familiarity with Portage. However, it seems excessive to me say that it is equivalent to having root privileges.
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2812
|
| Posted: Fri Mar 07, 2025 10:19 am Post subject: |
|
|
OK, I tried to search in my IRC logs but I didn't find it there. I might have read it in the wiki or misunderstood it. I only remember it was recommended against, but why exactly, I don't know and I can't check. I remember because I think I was the one asking that question or at least I found the idea useful but gave it up because of that recommendation.
Best Regards,
Georgi |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31525
Location: here
|
| Posted: Fri Mar 07, 2025 10:45 am Post subject: |
|
|
Yes I don't want to doubt your statement, as I said I don't know portage that well and I could (surely) be wrong  .
Maybe some developer can provide more correct information.
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3544
|
| Posted: Fri Mar 07, 2025 11:16 am Post subject: |
|
|
| fedeliallalinea wrote: | | logrusx wrote: | | Not a good idea. This is effectively making your user root. |
Why? |
Because it creates an opening which lets you inject code into the system.
However, if someone was able to exploit it, it would mean he already has access to my data, which is IMO a much bigger problem, so I wouldn't lose any sleep over this.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31525
Location: here
|
| Posted: Fri Mar 07, 2025 12:11 pm Post subject: |
|
|
| szatox wrote: | Because it creates an opening which lets you inject code into the system.
However, if someone was able to exploit it, it would mean he already has access to my data, which is IMO a much bigger problem, so I wouldn't lose any sleep over this. |
But what difference does it make to have or not have the portage group if someone has already hacked my account?
Also if you have sudo or doas installed with permissions to perform root action...
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2812
|
| Posted: Fri Mar 07, 2025 12:38 pm Post subject: |
|
|
| fedeliallalinea wrote: | | szatox wrote: | Because it creates an opening which lets you inject code into the system.
However, if someone was able to exploit it, it would mean he already has access to my data, which is IMO a much bigger problem, so I wouldn't lose any sleep over this. |
But what difference does it make to have or not have the portage group if someone has already hacked my account?
Also if you have sudo or doas installed with permissions to perform root action... |
Exactly my thoughts when they told me not to do that, but I abandoned them as this is inherently wrong way to think about security.
Best Regards,
Georgi
Last edited by logrusx on Fri Mar 07, 2025 3:54 pm; edited 1 time in total |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3544
|
| Posted: Fri Mar 07, 2025 3:43 pm Post subject: |
|
|
I guess it would be more of a problem on a multiuser machine, where having good separation between users allows you to contain damage in case one user gets compromised (or goes rogue).
It kinda takes me back to my times as a junior backup operator for a massive corporation.... Windows admins were unable to access the important data due to restriction applied by GPO, while I, not having any windows account at all, had the buttons needed to server-side initiate backup from and restore to all those machines... And also execute an arbitrary program as a part of that backup job.
Only the cleaning staff had a greater clearance. I bet none of the highly paranoid executives realized either of those.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
|
Portage & Programming
