Bug 777393

Summary:	[Feature Request] sys-apps/portage: Make env-update execute post-update scripts
Product:	Portage Development	Reporter:	konsolebox <konsolebox>
Component:	Enhancement/Feature Requests	Assignee:	Portage team <dev-portage>
Status:	UNCONFIRMED ---
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Simple patch to make it work Working post-update script that updates secure_path Working post-update script that updates secure_path (V2) Working post-update script that updates secure_path (V3) Working post-update script that updates secure_path (V4) Working post-update script that updates secure_path (V5) Updated to work with 3.0.28

Description konsolebox 2021-03-20 14:56:55 UTC

In https://bugs.gentoo.org/777267 I ended up with a solution where I created a wrapper script for env-update which calls env-update and then updates the value of "secure_path" in /etc/sudoers/secure_path based on the updated value of REALPATH.

It would be nice if env-update would have an added feature where it executes +x scripts present somewhere in /etc (perhaps in /etc/env-update.d/) after updating /etc/profile.env and other stuff so I wouldn't have to use a wrapper like this.  It's also not guaranteed that the wrapper is called during emerge over the real env-update.

Comment 1 konsolebox 2021-03-20 17:27:42 UTC

Created attachment 692598 [details, diff]
Simple patch to make it work

Comment 2 Zac Medico gentoo-dev

2021-03-20 20:13:56 UTC

The solutions sounds somewhat complicated for a PATH ordering issue, so I'd like to understand why there's not a simpler way to generate an appropriate PATH setting, if that really is the case.

Comment 3 konsolebox 2021-03-21 10:07:03 UTC

If we'd like to make secure_path follow the generated [ROOT]PATH from env.d, this is the only way to make it consistent.  Also I believe this can also help with other things that has to be regenerated everytime something significant in /etc/env.d is modified.

Comment 4 konsolebox 2021-03-21 10:20:53 UTC

Created attachment 692676 [details]
Working post-update script that updates secure_path

Comment 5 konsolebox 2021-03-21 10:45:22 UTC

Created attachment 692688 [details]
Working post-update script that updates secure_path (V2)

Comment 6 konsolebox 2021-03-21 11:13:37 UTC

Created attachment 692691 [details]
Working post-update script that updates secure_path (V3)

There's no need to check if ROOTPATH has /usr/sbin since the default already has it, and secure_path should have a conservative value, so avoid including values from PATH.  A path should also be in ROOTPATH anyway if it's meant to run as EUID 0.

Comment 7 konsolebox 2021-03-21 13:49:58 UTC

Created attachment 692721 [details]
Working post-update script that updates secure_path (V4)

Avoid updating secure_path if it's already up-to-date to lessen noise and write IO

Comment 8 konsolebox 2021-03-21 14:25:32 UTC

Created attachment 692730 [details]
Working post-update script that updates secure_path (V5)

Exclude "\n" in printf assignment and use more EPREFIX

Comment 9 konsolebox 2021-10-29 06:33:46 UTC

Created attachment 747183 [details, diff]
Updated to work with 3.0.28

Comment 10 konsolebox 2021-10-29 06:35:36 UTC

I customized the official ebuild so it includes this feature.  It can be enabled with the 'unofficial' use flag.

https://github.com/konsolebox/overlay/tree/master/sys-apps/portage