Re: avoid running CPAN as root

2010-01-12 Thread Eric Wilhelm 
# from Shawn H Corey
# on Sunday 10 January 2010 08:11:

$ sudo cpan

This exposes your system to any bugs in the test suite (an accidental 
`rm -rf /` has happened before) with root privileges.  With a modern 
CPAN client, you can set it to use sudo only at install time with the 
make_install_make_command and mbuild_install_build_command knobs.

  http://learnperl.scratchcomputing.com/tutorials/configuration/

--Eric
-- 
perl -e 'srand; print join( ,sort({rand()  0.5}
  qw(sometimes it is important to be consistent)));'
---
http://scratchcomputing.com
---

Re: avoid running CPAN as root

2010-01-12 Thread dhudes 
While the idea of using sudo only at install time is nice, there are two
problems:
1. Some modules require extra privileges at test time
2. Far more impact is that sudo requires that you enter your password each
time you invoke it.  Therefore you will have to enter your password once
for each module you install. On any given module you may have 3 or 4
prerequisites; if you update your modules to current once a quarter, you
will have dozens to install.  Given the way that CPAN.pm operates you
can't just keep going and add each blib to your @INC and only do one sudo
session to run all the individual make installs.


 # from Shawn H Corey
 # on Sunday 10 January 2010 08:11:

$ sudo cpan

 This exposes your system to any bugs in the test suite (an accidental
 `rm -rf /` has happened before) with root privileges.  With a modern
 CPAN client, you can set it to use sudo only at install time with the
 make_install_make_command and mbuild_install_build_command knobs.

   http://learnperl.scratchcomputing.com/tutorials/configuration/

 --Eric
 --
 perl -e 'srand; print join( ,sort({rand()  0.5}
   qw(sometimes it is important to be consistent)));'
 ---
 http://scratchcomputing.com
 ---

Re: avoid running CPAN as root

2010-01-12 Thread Andy Armstrong 
On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote:
 While the idea of using sudo only at install time is nice, there are two
 problems:
 1. Some modules require extra privileges at test time

Do they? I've got 1213 distributions installed on this laptop. All using cpan 
and none of them required elevated privileges during testing. Which modules do 
this?

 2. Far more impact is that sudo requires that you enter your password each
 time you invoke it.  Therefore you will have to enter your password once
 for each module you install. On any given module you may have 3 or 4
 prerequisites; if you update your modules to current once a quarter, you
 will have dozens to install.  Given the way that CPAN.pm operates you
 can't just keep going and add each blib to your @INC and only do one sudo
 session to run all the individual make installs.


Often sudo will be configured with a 15 minute grace period which means you 
only need to authenticate for the first make install / ./Build install.

-- 
Andy Armstrong, Hexten

Re: avoid running CPAN as root

2010-01-12 Thread Martin Evans 
dhu...@hudes.org wrote:
 While the idea of using sudo only at install time is nice, there are two
 problems:
 1. Some modules require extra privileges at test time
 2. Far more impact is that sudo requires that you enter your password each
 time you invoke it.  Therefore you will have to enter your password once
 for each module you install. On any given module you may have 3 or 4
 prerequisites; if you update your modules to current once a quarter, you
 will have dozens to install.  Given the way that CPAN.pm operates you
 can't just keep going and add each blib to your @INC and only do one sudo
 session to run all the individual make installs.

My sudo (on latest ubuntu) does not appear to work like that. If I run
the sudo commands quickly enough it does not reprompt. I think this is
passwd_timeout or timestamp_timeout in sudoers file.

Martin
-- 
Martin J. Evans
Easysoft Limited
http://www.easysoft.com

 
 # from Shawn H Corey
 # on Sunday 10 January 2010 08:11:

 $ sudo cpan
 This exposes your system to any bugs in the test suite (an accidental
 `rm -rf /` has happened before) with root privileges.  With a modern
 CPAN client, you can set it to use sudo only at install time with the
 make_install_make_command and mbuild_install_build_command knobs.

   http://learnperl.scratchcomputing.com/tutorials/configuration/

 --Eric
 --
 perl -e 'srand; print join( ,sort({rand()  0.5}
   qw(sometimes it is important to be consistent)));'
 ---
 http://scratchcomputing.com
 ---

Re: avoid running CPAN as root

2010-01-12 Thread Andy Armstrong 
On 12 Jan 2010, at 17:23, Dana Hudes wrote:
 Rebuilding a few hundred modules will take more than 15 minutes, especially 
 if you have to download each one. I suppose you could modify sudoes to make 
 it 8 hours. 


The timeout is reset each time sudo is used - so a shorter timeout is usually 
OK.

-- 
Andy Armstrong, Hexten

Re: avoid running CPAN as root

2010-01-12 Thread Smylers 
Andy Armstrong writes:

 On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote:
 
  sudo requires that you enter your password each time you invoke it.
 
 Often sudo will be configured with a 15 minute grace period which
 means you only need to authenticate for the first make install /
 ./Build install.

Though that can be irritating if your install hangs at that point,
waiting for you to provide a password.  An alternative is to
pre-authenticate sudo with the -v flag, so that even the first install
will become root without prompting:

  % sudo -v  cpan Acme::MetaSyntactic

Smylers
-- 
Watch fiendish TV quiz 'Only Connect' (some questions by me)
Mondays at 20:30 on BBC4, or iPlayer: http://www.bbc.co.uk/programmes/b00lskhg

Re: avoid running CPAN as root

2010-01-12 Thread David Cantrell 
On Tue, Jan 12, 2010 at 08:59:46AM -0800, dhu...@hudes.org wrote:
 While the idea of using sudo only at install time is nice, there are two
 problems:
 1. Some modules require extra privileges at test time

This is true.  Have a look to see if CPAN distprefs will let you
temporarily override the 'make test' command for them.

 2. Far more impact is that sudo requires that you enter your password each
 time you invoke it.

The default configuration is to only require it the first time you
invoke it, and then store it for a certain amount of time for re-use.

-- 
David Cantrell | Hero of the Information Age

  Blessed are the pessimists, for they test their backups

Re: avoid running CPAN as root

2010-01-12 Thread Austin Schutz 

Smylers wrote:

Andy Armstrong writes:


On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote:


sudo requires that you enter your password each time you invoke it.

Often sudo will be configured with a 15 minute grace period which
means you only need to authenticate for the first make install /
./Build install.


Though that can be irritating if your install hangs at that point,
waiting for you to provide a password.  An alternative is to
pre-authenticate sudo with the -v flag, so that even the first install
will become root without prompting:

  % sudo -v  cpan Acme::MetaSyntactic

Smylers


Seems like it would be nice if the build system understood appropriate 
behavior for the root user and acted accordingly. That is:  given 
superuser access privileges should be lowered by default during the 
build process, but elevated for install.


I don't think it's reasonable to expect either module authors or end 
users to know the vagaries of every possible flag. And, even if you 
argue it _is_ reasonable, it's still not going to happen.


The right thing should be done by the software as much as possible.

Austin

Re: avoid running CPAN as root

2010-01-12 Thread Eric Wilhelm 
# from Austin Schutz
# on Tuesday 12 January 2010 10:08:

Seems like it would be nice if the build system understood appropriate
behavior for the root user and acted accordingly. That is:  given
superuser access privileges should be lowered by default during the
build process, but elevated for install.

  s/build system/CPAN client/

If the build system gets too smart, it interferes with the cpan client 
and anyway: someone always thinks that whatever decision was the wrong 
one (which it usually is because given two wrong choices...)

--Eric
-- 
Turns out the optimal technique is to put it in reverse and gun it.
--Steven Squyres (on challenges in interplanetary robot navigation)
---
http://scratchcomputing.com
---

Re: avoid running CPAN as root

2010-01-12 Thread Hans Dieter Pearcey 
Excerpts from dhudes's message of Tue Jan 12 11:59:46 -0500 2010:
 2. Far more impact is that sudo requires that you enter your password each
 time you invoke it.

No it doesn't.  Read sudo(8).  By default, you only have to enter it once every
15 minutes.

hdp.

Re: avoid running CPAN as root

2010-01-12 Thread Dana Hudes 
Rebuilding a few hundred modules will take more than 15 minutes, especially if 
you have to download each one. I suppose you could modify sudoes to make it 8 
hours. 

--Original Message--
From: Andy Armstrong
To: dhu...@hudes.org
Cc: Eric Wilhelm
Cc: module-authors@perl.org
Sent: Jan 12, 2010 12:14 PM
Subject: Re: avoid running CPAN as root

On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote:
 While the idea of using sudo only at install time is nice, there are two
 problems:
 1. Some modules require extra privileges at test time

Do they? I've got 1213 distributions installed on this laptop. All using cpan 
and none of them required elevated privileges during testing. Which modules do 
this?

 2. Far more impact is that sudo requires that you enter your password each
 time you invoke it.  Therefore you will have to enter your password once
 for each module you install. On any given module you may have 3 or 4
 prerequisites; if you update your modules to current once a quarter, you
 will have dozens to install.  Given the way that CPAN.pm operates you
 can't just keep going and add each blib to your @INC and only do one sudo
 session to run all the individual make installs.


Often sudo will be configured with a 15 minute grace period which means you 
only need to authenticate for the first make install / ./Build install.

-- 
Andy Armstrong, Hexten





Sent from my BlackBerry® smartphone with Nextel Direct Connect

Re: avoid running CPAN as root

2010-01-12 Thread Shawn H Corey 
Dana Hudes wrote:
 Rebuilding a few hundred modules will take more than 15 minutes, especially 
 if you have to download each one. I suppose you could modify sudoes to make 
 it 8 hours. 

Once you start cpan with sudo, it will continue to run until you quit.
Any program started with sudo runs as root unitl it finishes regardless
of how long it takes.

What it seems you are doing is starting each separately.  Instead, put
them in a shell script and run it with sudo.

And never put sudo in a shell script; that is a security breach.


-- 
Just my 0.0002 million dollars worth,
  Shawn

Programming is as much about organization and communication
as it is about coding.

I like Perl; it's the only language where you can bless your
thingy.