Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 396153

Summary: persistent administrative override of file and directory permissions (like dpkg-statoverride)
Product: Gentoo Hosted Projects Reporter: Zac Medico <zmedico>
Component: PMS/EAPIAssignee: Package Manager Specification <pms>
Status: CONFIRMED ---    
Severity: normal CC: blueness, gabifalk, mk, mrueg
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.debian.org/doc/debian-policy/ch-files.html#s10.9.1
See Also: https://bugs.gentoo.org/show_bug.cgi?id=607430
https://bugs.gentoo.org/show_bug.cgi?id=654138
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 193766    

Description Zac Medico gentoo-dev 2011-12-27 01:23:20 UTC 
Package managers should allow administrators to override permissions of files in a way that persists through upgrades. For example, this can be accomplished using an approach similar to Debian's dpkg-statoverride tool.
Comment 1 Zac Medico gentoo-dev 2011-12-27 01:24:45 UTC 
*** Bug 141619 has been marked as a duplicate of this bug. ***
Comment 2 Zac Medico gentoo-dev 2011-12-27 01:30:02 UTC 
*** Bug 151778 has been marked as a duplicate of this bug. ***
Comment 3 Maxim Kammerer 2012-07-08 21:21:21 UTC 
I think that this bug's importance should be raised. Consider, for instance, net-misc/tor:

    pkg_setup() {
        enewgroup tor
        enewuser tor -1 -1 /var/lib/tor tor
    }

    src_install() {
        ...
        fperms 750 /var/lib/tor
        fowners tor:tor /var/lib/tor
        ...
    }

The intent is clearly that /var/lib/tor is only readable by user "tor". However:

    drwxr-xr-x 2 tor root 88 Jun 16 01:07 /var/lib/tor

Specifically for net-misc/tor, this is not a serious issue (Tor daemon apparently sets umask to 077 for new files and directories), but it might be for other packages. I had to resolve to, e.g.:

    pkg_setup() {
        enewgroup i2p
        enewuser  i2p -1 -1 /var/lib/i2p i2p
        rmdir /var/lib/i2p 2>/dev/null || :
    }

in order to enforce directory permissions for a similar package.
Comment 4 SpanKY gentoo-dev 2012-07-21 17:26:36 UTC 
(In reply to comment #3)

i don't really understand your example.  if /var/lib/tor doesn't exist, then when the dir gets merged, it'll start with 750 perms.  how did it get 755 ?

also, be aware that you cannot rely on the tree state that an ebuild sets up in /var/{lib,cache,run} since that might get removed manually by an admin.  so init.d scripts have to use `checkpath` to make sure they're available.
Comment 5 Maxim Kammerer 2012-07-21 18:20:20 UTC 
(In reply to comment #4)
> i don't really understand your example.  if /var/lib/tor doesn't exist, then
> when the dir gets merged, it'll start with 750 perms.  how did it get 755 ?

But /var/lib/tor already exists before src_install() -- it is created by enewuser in pkg_setup().

> also, be aware that you cannot rely on the tree state that an ebuild sets up
> in /var/{lib,cache,run} since that might get removed manually by an admin. 
> so init.d scripts have to use `checkpath` to make sure they're available.

I am aware of /var/run (filed a few bugs for bug #332633 myself), and /var/cache case is kind of obvious, but /var/lib? It seems to me that if one starts arbitrary removing stuff in /var/lib in Gentoo, the system will break...