From b2f543f9b3815ac8e7d7f53ab387ce51f4b8311e Mon Sep 17 00:00:00 2001 From: Mike Gilbert Date: Mon, 9 Oct 2023 16:46:31 -0400 Subject: [PATCH] man/make.conf.5: note locations with trust issues To: gentoo-portage-dev@lists.gentoo.org Bug: https://bugs.gentoo.org/915330 Signed-off-by: Mike Gilbert --- man/make.conf.5 | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/man/make.conf.5 b/man/make.conf.5 index 25893c424..045882a17 100644 --- a/man/make.conf.5 +++ b/man/make.conf.5 @@ -207,21 +207,23 @@ Defaults to "/etc/portage/gnupg" .br .TP .B CBUILD This variable is passed by the \fIebuild scripts\fR to the \fIconfigure\fR as \fI\-\-build=${CBUILD}\fR only if it is defined. Do not set this yourself unless you know what you are doing. .TP \fBCCACHE_DIR\fR = \fI[path]\fR Defines the location of the ccache working directory. See the \fBccache\fR(1) man page for more information. -.br + +Only trusted users should be granted write access to this location. + Defaults to /var/tmp/ccache .TP \fBCCACHE_SIZE\fR = \fI"size"\fR This controls the space use limitations for ccache. See the \fI\-M\fR flag in the \fBccache\fR(1) man page for more information. .TP .B CFLAGS CXXFLAGS Use these variables to set the desired optimization/CPU instruction settings for applications that you compile. These two variables are passed to the C and C++ compilers, respectively. (CXX is used to refer to the C++ compiler @@ -275,20 +277,22 @@ of \fBemerge\fR(1) for more information. This variable is passed by the \fIebuild scripts\fR to the \fIconfigure\fR as \fI\-\-target=${CTARGET}\fR only if it is defined. .TP \fBDISTDIR\fR = \fI[path]\fR Defines the location of your local source file repository. After packages are built, it is safe to remove any and all files from this directory since they will be automatically fetched on demand for a given build. If you would like to selectively prune obsolete files from this directory, see \fBeclean\fR(1) from the gentoolkit package. +Only trusted users should be granted write access to this location. + Use the \fBPORTAGE_RO_DISTDIRS\fR variable to specify one or more read-only directories containing distfiles. .br Defaults to /var/cache/distfiles. .TP .B DOC_SYMLINKS_DIR If this variable contains a directory then symlinks to html documentation will be installed into it. .TP .B EBEEP_IGNORE @@ -949,21 +953,23 @@ of \fBNO_COLOR\fR. Defaults to false. .TP \fBPKGDIR\fR = \fI[path]\fR Defines the location where created .tbz2 or .gpkg binary packages will be stored when the \fBemerge\fR(1) \fB\-\-buildpkg\fR option is enabled. By default, a given package is stored in a subdirectory corresponding to its category. However, for backward compatibility with the layout used by older versions of portage, if the \fI${PKGDIR}/All\fR directory exists then all packages will be stored inside of it and symlinks to the packages will be created in the category subdirectories. -.br + +Only trusted users should be granted write access to this location. + Defaults to /var/cache/binpkgs. .TP .B PORT_LOGDIR See \fIPORTAGE_LOGDIR\fR below. Deprecated. .TP .B PORT_LOGDIR_CLEAN See \fIPORTAGE_LOGDIR_CLEAN\fR below. Deprecated. .TP \fBPORTAGE_BINHOST\fR = \fI[space delimited URI list]\fR This is a list of hosts from which portage will grab prebuilt\-binary packages. @@ -1198,21 +1204,23 @@ quotes must be escaped in make.conf settings). Defaults to no value. .TP \fBPORTAGE_SYNC_STALE\fR = \fI[NUMBER]\fR Defines the number of days after the last `emerge \-\-sync` that a warning message should be produced. A value of 0 will disable warnings. .br Defaults to 30. .TP \fBPORTAGE_TMPDIR\fR = \fI[path]\fR Defines the location of the temporary build directories. -.br + +Only trusted users should be granted write access to ${PORTAGE_TMPDIR}/portage. + Defaults to /var/tmp. This should not be set to point anywhere under location of any repository. .TP \fBPORTAGE_TRUST_HELPER\fR = \fI[path]\fR Defines an executable file which initializes and maintains /etc/portage/gnupg, installing keys that are trusted for binary package signing, and refreshing these keys from a key server. This helper is called before all operations involving remote binary packages if and only if binpkg-request-signature is in \fBFEATURES\fR. -- 2.42.0