Hi! If pfl is started as root (e.g. via cron job) it should drop privileges, since portage db is accessible by unprivileged user and pfl does network interaction which impose sufficient security risk. P.S. I locally start it from unprivileged user, but it will be nice to have this functionality implemented properly and by default for all users.
Hi thanks for the report. The cron job in /etc/cron.weekly must run as root. However it should be possible to drop the privileges. From my research there are multiple possibilities. I suggest using setpriv from util-linux to drop the privileges and run as portage:portage. Maybe there are better ways, I am open for suggestions. @Daniel: This also requires changes in the pfl upload script, as it checks if the current user is root. If yes it writes the pfl version and the last upload time to pfl.info in /var/lib/pfl/, if not to the current users home directory. So this test needs to check for the user portage instead of root. I am planning to create a new version (3.0.1) including this changes along with other fixes for e-file fixing #684346 and #674120. Also the ebuild needs to be changed to fix the initial permissions of /var/lib/pfl/pfl.info.
Created attachment 580546 [details, diff] Changes required for running the cron job as user portage
Created attachment 580548 [details, diff] Necessary ebuild changes
Fixed in Git with pfl-3.0.1. @Daniel: The tarball for 3.0.1 is available here: https://dev.gentoo.org/~billie/distfiles/pfl-3.0.1.tar.bz2