Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 396153 - persistent administrative override of file and directory permissions (like dpkg-statoverride)
Summary: persistent administrative override of file and directory permissions (like dp...
Status: CONFIRMED
Alias: None
Product: Gentoo Hosted Projects
Classification: Unclassified
Component: PMS/EAPI (show other bugs)
Hardware: All All
: Normal normal
Assignee: PMS/EAPI
URL: http://www.debian.org/doc/debian-poli...
Whiteboard:
Keywords:
: 141619 151778 (view as bug list)
Depends on:
Blocks: 193766
  Show dependency tree
 
Reported: 2011-12-27 01:23 UTC by Zac Medico
Modified: 2024-04-22 16:15 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zac Medico gentoo-dev 2011-12-27 01:23:20 UTC
Package managers should allow administrators to override permissions of files in a way that persists through upgrades. For example, this can be accomplished using an approach similar to Debian's dpkg-statoverride tool.
Comment 1 Zac Medico gentoo-dev 2011-12-27 01:24:45 UTC
*** Bug 141619 has been marked as a duplicate of this bug. ***
Comment 2 Zac Medico gentoo-dev 2011-12-27 01:30:02 UTC
*** Bug 151778 has been marked as a duplicate of this bug. ***
Comment 3 Maxim Kammerer 2012-07-08 21:21:21 UTC
I think that this bug's importance should be raised. Consider, for instance, net-misc/tor:

    pkg_setup() {
        enewgroup tor
        enewuser tor -1 -1 /var/lib/tor tor
    }

    src_install() {
        ...
        fperms 750 /var/lib/tor
        fowners tor:tor /var/lib/tor
        ...
    }

The intent is clearly that /var/lib/tor is only readable by user "tor". However:

    drwxr-xr-x 2 tor root 88 Jun 16 01:07 /var/lib/tor

Specifically for net-misc/tor, this is not a serious issue (Tor daemon apparently sets umask to 077 for new files and directories), but it might be for other packages. I had to resolve to, e.g.:

    pkg_setup() {
        enewgroup i2p
        enewuser  i2p -1 -1 /var/lib/i2p i2p
        rmdir /var/lib/i2p 2>/dev/null || :
    }

in order to enforce directory permissions for a similar package.
Comment 4 SpanKY gentoo-dev 2012-07-21 17:26:36 UTC
(In reply to comment #3)

i don't really understand your example.  if /var/lib/tor doesn't exist, then when the dir gets merged, it'll start with 750 perms.  how did it get 755 ?

also, be aware that you cannot rely on the tree state that an ebuild sets up in /var/{lib,cache,run} since that might get removed manually by an admin.  so init.d scripts have to use `checkpath` to make sure they're available.
Comment 5 Maxim Kammerer 2012-07-21 18:20:20 UTC
(In reply to comment #4)
> i don't really understand your example.  if /var/lib/tor doesn't exist, then
> when the dir gets merged, it'll start with 750 perms.  how did it get 755 ?

But /var/lib/tor already exists before src_install() -- it is created by enewuser in pkg_setup().

> also, be aware that you cannot rely on the tree state that an ebuild sets up
> in /var/{lib,cache,run} since that might get removed manually by an admin. 
> so init.d scripts have to use `checkpath` to make sure they're available.

I am aware of /var/run (filed a few bugs for bug #332633 myself), and /var/cache case is kind of obvious, but /var/lib? It seems to me that if one starts arbitrary removing stuff in /var/lib in Gentoo, the system will break...