Summary: | [Future EAPI] support enforcing supplementary groups instead of RESTRICT=userpriv | ||
---|---|---|---|
Product: | Gentoo Hosted Projects | Reporter: | Michał Górny <mgorny> |
Component: | PMS/EAPI | Assignee: | PMS/EAPI <pms> |
Status: | CONFIRMED --- | ||
Severity: | enhancement | CC: | esigra, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=516616 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 174380 |
Description
Michał Górny
2014-07-07 14:04:23 UTC
Do not interpret this comment as pro or con, I'm on the fence, but adding information. This needs to roll around in my head a bit, but here is what I've done for cuda/opencl ebuilds. I've added a note in the ebuild on failure that says "please ensure portage is in the video group" and I've used "addwrite" to allow access to the needed device nodes. Perfect? No, but it does work. It might be useful if the "SUPPLIMENTORY_GROUPS" (or w/e) option was able to check if portage was in the group and warn the user they need to add portage to that group. Automatically adding portage to that group is basically as bad as just allowing root in the first place imho. Just to be clear, it's not supposed to modify passwd. It uses the setgroups() call to set groups 'seen' by the process. SUPPLEMENTARY_GROUPS=wheel,root would replace the undesired RESTRICT=userpriv and we are back in the same place. (In reply to Rick Farina (Zero_Chaos) from comment #3) > SUPPLEMENTARY_GROUPS=wheel,root would replace the undesired > RESTRICT=userpriv and we are back in the same place. That wouldn't be equivalent and I don't see why you would do that. So maybe another thing to be clear: I'm not saying 'replace completely'. Just provide a safer alternative where it's possible. Isn't this overkill, given that there are only 10 packages in the tree with RESTRICT=userpriv (and even fewer are free software). (In reply to Ulrich Müller from comment #5) > Isn't this overkill, given that there are only 10 packages in the tree with > RESTRICT=userpriv (and even fewer are free software). Yes and no. There are other things which are broken with slightly crazy workarounds like erroring and asking the user to add portage to video group (that's how I fix a bunch of opencl/cuda issues). This is a nice new feature imho. |