3 Comments

  1. nobody says:

    August 23, 2013 at 4:22 pm

    Why not just let it run at full privs? A compromised portage process already has enough privs to own the entire system (and even disable selinux), that allowing it to exec as another user isn’t really that big of a deal.

  2. says:

    August 23, 2013 at 6:37 pm

    Because I would like to use a least privilege concept for the policies. Yes, Portage already has quite a few rights (although load_policy and setenforce aren’t amongst those – but it does have the ability to transition to semanage_t and setfiles_t), but granting “full privs” is not an easy thing to do (unless you count unconfined domains).

    I also believe that emerge –config should work for roles that do not get the portage privileges. Consider a dbadm_r role (database administrator). It would make sense to allow the DBA to run “emerge –config dev-db/postgresql-server” in his own domain (dbadm_t) rather than granting him access to the (possibly higher privileged) portage_t.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>