see steps + results. also until #8688 gets fixed, this is a moot point. Reproducible: Always Steps to Reproduce: 1. have a user that is in the portage group via /etc/groups 2. run repoman OR portage Actual Results: *** You are not in the portage group. You may experience cache problems *** due to permissions preventing the creation of the on-disk cache. *** Please add this user to the portage group if you wish to use portage. Expected Results: Should work. Portage 2.0.48_pre2 (default-x86-1.4, gcc-3.2.2, glibc-2.3.2-r1) ================================================================= System uname: 2.4.20-gentoo-r2 i686 AMD Athlon(tm) XP 1800+ GENTOO_MIRRORS=" ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://csociety- ftp.ecn.purdue.edu/pub/gentoo/ ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi g /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/share/texmf/tex/generic/co nfig/ /usr/share/texmf/tex/platex/config/" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="/usr/gentoo-cvs/gentoo-x86" USE="x86 tcpd -3dfx -alsa -arts -bonobo -canna -cjk -freewnn -gb -gnome -gps - gtk2 -kde -kerberos -leim -libg++ -libgda -matrox -mbox -mule -nas -oci8 - opengl -oss -pcmcia -postgres -voodoo3 -xface -xfs -zero 3dnow X aalib acl acpi activefilter -afs apache2 apm avi berkdb cdr crypt cups curl dga directfb dnd doc dvd encode esd ethereal expat fbcon flash gd gdbm ggi gif gpm gtk gtkhtml guile imap imlib innodb ipv6 java jikes jpeg junit lame lcms ldap libwww maildir mikmod mmx motif mozaccess mozcalendar mozilla mozinterfaceinfo mozp3p mozsvg mozxmlterm mpeg mysql ncurses nls nptl oav odbc oggvorbis pam pcap pdflib perl pic plotutils png pnp python qt quicktime readline ruby samba sasl sdl slang slp snmp socks5 spell sse ssl svga tcltk tetex tiff truetype ungif vscan wmf xml xml2 xmms xv zlib -bonobo -gnome" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-mcpu=athlon-xp -march=athlon-xp -O3 -pipe -fomit-frame-pointer" CXXFLAGS="-O2 -mcpu=i686 -pipe" ACCEPT_KEYWORDS="x86 ~x86" MAKEOPTS="-j3" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="digest sandbox ccache buildpkg userpriv usersandbox"
does the user portage exist ?
Yup: robbat2@pestilence libmcrypt $ grep portage /etc/passwd portage:x:250:250:portage:/var/tmp/portage:/bin/false robbat2@pestilence libmcrypt $ grep portage /etc/group portage::250:portage,robbat2 This is my update to date development box.
Did you log out and back in after making that change to groups?
i didn't. however after the box rebooted this morning due to a long power outage, everything seems to work. So I assume something else had read in only the old data. Sorry.
I've seen this same problem, and my system has rebooted since the portage user and group went into effect. Here's some code that illustrates the problem when running as root: import os os.setgid(250) os.setuid(250) print os.getgroups() print os.getgid() This outputs (on my system): [0, 1, 2, 3, 4, 6, 10, 11, 20, 26, 27] 250 Note that the current group is 250, but it's not mentioned in the getgroups() list. Adding this line before the os.setuid() call fixes the problem: os.setgroups([250]) This outputs the expected: [250] 250 I believe that calling setgroups() is necessary for making sure that all extra privs are dropped when switching from root, and thus should be added to the portage.py library: #drop root privileges, become the 'portage' user os.setgid(portage_gid) os.setgroups([portage_gid]) # <-- new line os.setuid(portage_uid) os.umask(002) I did this in my copy, and it got rid of the warning.
Note also that the reason you may not have seen the error is that it only affects a very small number of ebuilds. Most ebuilds start the portage.py script as root, it switches over to the portage user (since we're only talking about the "userpriv" mode), which means that the getgroups() call does not come into play at all. However, some ebuilds run a command in their compile section that re-invokes the portage.py script, and if this happens, the aforementioned erroneous error occurs. For example, the mod_php ebuild (4.3.2) runs the "has_version" command. It is this command that will generate the error when it is run in the not-quite complete state that the current portage.py script leaves things. Just adding the os.setgroups() call I mentioned in comment #5 fixes things right up.
Should I assume from the fact that this bug hasn't been reopened that you would prefer for me to file a new bug report rather than piggybacking on this one? I'd be glad to do that, if you like.
Wayne: it wouldn't hurt to re-open it, but carpaski's been busy lately AFAIK.
I just got hit by this as well. When doing 'emerge subversion' to install the 0.24.1 version i get this message between unpacking the subversion source and the berkdb source that subversion depends on. It continues to emerge and will report the message a couple of time again. So this should be reopened, no?
I'd appreciate it if a bug wrangler would reopen this bug (you guys can do that, right?) so that it will appear on Nick's list of things that need to be fixed. Thanks.
Wayne Davison: in your /etc/group file, add the portage user to the portage group, and see if you can still produce this error.
Well that is why this should be reopened, Robin Johnson. Because I have (I guess everybody experienceing this bug has) a group id portage with 250 in /etc/group and also a user portage. Yet this still appears from tome to time. It never caused the emerge to fail, but it is nevertheless a bug. So please reopen this.
$ grep portage /etc/group portage::250:portage,alexf $ grep portage /etc/passwd portage:x:250:250:portage:/var/tmp/portage:/bin/false
Yes, Robin, as my earlier comments detailed, I have the right user and group in my setup. I also fully analyzed the exact reason for the problem, why it is hard to reproduce (since it affects so few ebuilds), how the current state is a minor security problem (since it leaves the portage user with too many group permissions when switching from root), and how to add a single line to the portage.py library file to fix it. If someone would care to add that one line to portate.py (the os.setgroups([250]) call) and mark this bug as fixed, that would be even better, but this bug should at least be marked as open until that happens. Since it's been over a month now without anything changing in this bug's status, I will fall back to starting a new bug report if there continues to be no response to this one.
Wayne Davison: please include your current 'emerge info' output as well as the output of 'id portage'. Also, tell me the name of the package that you still see this issue happening in. I still can't reproduce it, with the subversion ebuild that you mentioned previously. I will only re-open it when I can personally confirm the problem due to how busy carpaski is.
Looking at the subversion ebuild (which "alex f" mentioned), I see that it only calls "has_version" if the berkdb USE flag is set, so I assume that either (1) you didn't have berkdb set, or (2) you don't have userpriv in your FEATURES. With userpriv set, you should see the erroneous warning with this command: USE=berkdb ebuild subversion-0.24.2-r1.ebuild unpack It will complain again during the "compile" phase of the ebuild, as well. I would also like to stress that the current code in portage.py leaves 11 extra groups authorized for the portage user when it should drop everything but the portage user, so check out comment #5 where I distill the code in portage.py, how it is malfunctioning, and how to fix it. # id portage uid=250(portage) gid=250(portage) groups=250(portage) # emerge info Portage 2.0.48-r1 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.21 i686 Pentium III (Coppermine) GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://www.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/big/tmp" PORTDIR_OVERLAY="/usr/local/portage" USE="x86 oss apm avi crypt cups encode gif jpeg libg++ mad mikmod mmx mpeg ncurses nls pdflib png quicktime spell truetype xml2 xmms xv zlib alsa gdbm berkdb readline arts svga tcltk java X sdl gpm tcpd pam libwww ssl perl python esd imlib oggvorbis qt kde motif opengl apache2 dvd imap maildir samba sasl sse tiff usb -3dnow -slang -gnome -gtk" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-O2 -mcpu=i686 -pipe" CXXFLAGS="-O2 -mcpu=i686 -pipe" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j3" AUTOCLEAN="yes" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" FEATURES="sandbox ccache userpriv"
I do run with userpriv, but not berkdb. Using the very latest portage-2.0.48-r3 (currently hardmasked still). FEATURES="userpriv usersandbox sandbox" emerge userprivtest Here is a test ebuild (userprivtest-0.01.ebuild): --- START EBUILD --- SLOT="0" KEYWORDS="~x86" src_unpack() { einfo "Nothing to unpack" } src_compile() { einfo "ID output: `id`" has_version '=sys-libs/db-4*' || i='not ' einfo "DB4 ${i}detected" } src_install() { eerror "Not installing anything" die "Not installing anything" } --- END EBUILD --- I get this output: Calculating dependencies ...done! >>> emerge (1 of 1) app-misc/userprivtest-0.01 to / >>> Unpacking source... * Nothing to unpack >>> Source unpacked. * ID output: uid=250(portage) gid=250(portage) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video),250(portage) * DB4 not detected >>> Install userprivtest-0.01 into /var/tmp/portage/userprivtest-0.01/image/ category app-misc * Not installing anything !!! ERROR: app-misc/userprivtest-0.01 failed. !!! Function src_install, Line 13, Exitcode 0 !!! Not installing anything Note that I do NOT get the warning anymore, but I do still note that there are too many permissions. I'm now re-opening this for carpaski.
Thanks for the re-open, Robin. I note that the reason you don't see the error appears to be that root has been explicitly put into the portage group on your system, so the lingering of all of root's groups now includes group 250. I assume that this is caused by adding ",root" onto the portage line in /etc/group? Mine just looks like this: portage::250:portage This is the way the line appears in the distributed group file, so I just left it alone. FIX ADDENDUM: I note that a new file, pym/utils.py in portage-2.0.48-r3, has the same "droppriv" code as portage.py, so it will also need the fix of adding os.setgroups([portage_gid]) prior to the os.setuid(portage_uid) call.
Wayne: yes, I have root and my development user in the portage group. If I remove them, then do get the error: *** You are not in the portage group. You may experience cache problems *** due to permissions preventing the creation of the on-disk cache. *** Please add this user to the portage group if you wish to use portage.
Updated for >=2.0.49_pre9 utils.py wasn't supposed to be deployed. It's going to be parts of portage.py, not the whole thing.
