516614 – [Future EAPI] support enforcing supplementary groups instead of RESTRICT=userpriv

Bug 516614 - [Future EAPI] support enforcing supplementary groups instead of RESTRICT=userpriv

Summary: [Future EAPI] support enforcing supplementary groups instead of RESTRICT=user...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Hosted Projects
Classification:	Unclassified
Component:	PMS/EAPI (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement (vote)
Assignee:	PMS/EAPI

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	future-eapi
	Show dependency tree

Reported:	2014-07-07 14:04 UTC by Michał Górny
Modified:	2014-07-07 22:28 UTC (History)
CC List:	2 users (show)

See Also:	516616
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2014-07-07 14:04:23 UTC

Looking at some random examples of RESTRICT=userpriv:

1. nvidia/CUDA ebuilds require access to /dev/nvidia*. This either requires portage to be in the 'video' group (which we don't have any sane way of enforcing) or using root privileges.

2. some game ebuilds are unable to access tools other game ebuilds installed (due to 'games' group requirement). So the ebuilds run those tools as root to circumvent their own limitation.

3. qmail-related ebuilds seem to have a similar issue but I don't know the details (yet).

That said, I'd dare say a lot of RESTRICT=userpriv cases could be avoided if ebuilds were able to force supplementary groups during the build.

An ugly syntax would be:

  SUPPLEMENTARY_GROUPS="video,games"

that would cause portage to call setgroups() with the two listed groups. Therefore, the ebuild would be able to access the needed resources without needing to be given superuser privileges.

Comment 1 Rick Farina (Zero_Chaos) gentoo-dev

2014-07-07 14:13:05 UTC

Do not interpret this comment as pro or con, I'm on the fence, but adding information.

This needs to roll around in my head a bit, but here is what I've done for cuda/opencl ebuilds.  I've added a note in the ebuild on failure that says "please ensure portage is in the video group" and I've used "addwrite" to allow access to the needed device nodes. Perfect? No, but it does work.

It might be useful if the "SUPPLIMENTORY_GROUPS" (or w/e) option was able to check if portage was in the group and warn the user they need to add portage to that group.  Automatically adding portage to that group is basically as bad as just allowing root in the first place imho.

Comment 2 Michał Górny archtester

2014-07-07 14:16:07 UTC

Just to be clear, it's not supposed to modify passwd. It uses the setgroups() call to set groups 'seen' by the process.

Comment 3 Rick Farina (Zero_Chaos) gentoo-dev

2014-07-07 14:19:16 UTC

SUPPLEMENTARY_GROUPS=wheel,root would replace the undesired RESTRICT=userpriv and we are back in the same place.

Comment 4 Michał Górny archtester

2014-07-07 14:40:23 UTC

(In reply to Rick Farina (Zero_Chaos) from comment #3)
> SUPPLEMENTARY_GROUPS=wheel,root would replace the undesired
> RESTRICT=userpriv and we are back in the same place.

That wouldn't be equivalent and I don't see why you would do that. So maybe another thing to be clear: I'm not saying 'replace completely'. Just provide a safer alternative where it's possible.

Comment 5 Ulrich Müller gentoo-dev

2014-07-07 15:24:54 UTC

Isn't this overkill, given that there are only 10 packages in the tree with RESTRICT=userpriv (and even fewer are free software).

Comment 6 Rick Farina (Zero_Chaos) gentoo-dev

2014-07-07 18:14:12 UTC

(In reply to Ulrich Müller from comment #5)
> Isn't this overkill, given that there are only 10 packages in the tree with
> RESTRICT=userpriv (and even fewer are free software).

Yes and no. There are other things which are broken with slightly crazy workarounds like erroring and asking the user to add portage to video group (that's how I fix a bunch of opencl/cuda issues).  This is a nice new feature imho.