Bug 516616

Summary:	[Future EAPI] 'esudo' to limit the scope of raised privileges
Product:	Gentoo Hosted Projects	Reporter:	Michał Górny <mgorny>
Component:	PMS/EAPI	Assignee:	PMS/EAPI <pms>
Status:	CONFIRMED ---
Severity:	enhancement	CC:	esigra
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=516614
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	174380

Description Michał Górny archtester

2014-07-07 14:18:56 UTC

Right now, whenever we need superuser privileges, we usually raise them for the scope of the whole phase function (pkg_*) or ebuild (RESTRICT=userpriv). Usually this is unnecessary and sometimes it is much undesired.

So my idea is to run all phases with the build user privileges, and provide a new 'esudo' helper that would elevate privileges for a command/function call. Of course, this will require some fancy hackery to allow raising privileges. Commands called by ebuilds may be potentially capable of abusing this -- but well, the goal is to catch mistakes and not malice.

Usage could be like:

  esudo [-u USER] [-g GROUP] [-G SUPPL_GROUPS] [-c CAPS] COMMAND...

where specifically:

1. -u sets EUID to given user, and EGID matching passwd,

2. -g sets EGID to given group, possibly overriding (1),

3. -G sets list of supplementary groups,

4. -c tries to enable given capabilities. If capabilities are not supported, forces superuser instead,

5. If no options are passed, defaults to gaining superuser privileges.


I'm not sure how far this should go. It would be definitely better than e.g. RESTRICT=userpriv for the whole ebuild, and cleaner than trying to invent special variable syntax to limit it to phases.

It may add unnecessary complexity in pkg_* phases. On the other hand, very often those phases either just output something (which doesn't need elevated privileges) or calls eclass functions (where we could just put our 'esudo' inside).