Re: avoid running CPAN as root
# from Shawn H Corey # on Sunday 10 January 2010 08:11: $ sudo cpan This exposes your system to any bugs in the test suite (an accidental `rm -rf /` has happened before) with root privileges. With a modern CPAN client, you can set it to use sudo only at install time with the make_install_make_command and mbuild_install_build_command knobs. http://learnperl.scratchcomputing.com/tutorials/configuration/ --Eric -- perl -e 'srand; print join( ,sort({rand() 0.5} qw(sometimes it is important to be consistent)));' --- http://scratchcomputing.com ---
Re: avoid running CPAN as root
While the idea of using sudo only at install time is nice, there are two problems: 1. Some modules require extra privileges at test time 2. Far more impact is that sudo requires that you enter your password each time you invoke it. Therefore you will have to enter your password once for each module you install. On any given module you may have 3 or 4 prerequisites; if you update your modules to current once a quarter, you will have dozens to install. Given the way that CPAN.pm operates you can't just keep going and add each blib to your @INC and only do one sudo session to run all the individual make installs. # from Shawn H Corey # on Sunday 10 January 2010 08:11: $ sudo cpan This exposes your system to any bugs in the test suite (an accidental `rm -rf /` has happened before) with root privileges. With a modern CPAN client, you can set it to use sudo only at install time with the make_install_make_command and mbuild_install_build_command knobs. http://learnperl.scratchcomputing.com/tutorials/configuration/ --Eric -- perl -e 'srand; print join( ,sort({rand() 0.5} qw(sometimes it is important to be consistent)));' --- http://scratchcomputing.com ---
Re: avoid running CPAN as root
On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote: While the idea of using sudo only at install time is nice, there are two problems: 1. Some modules require extra privileges at test time Do they? I've got 1213 distributions installed on this laptop. All using cpan and none of them required elevated privileges during testing. Which modules do this? 2. Far more impact is that sudo requires that you enter your password each time you invoke it. Therefore you will have to enter your password once for each module you install. On any given module you may have 3 or 4 prerequisites; if you update your modules to current once a quarter, you will have dozens to install. Given the way that CPAN.pm operates you can't just keep going and add each blib to your @INC and only do one sudo session to run all the individual make installs. Often sudo will be configured with a 15 minute grace period which means you only need to authenticate for the first make install / ./Build install. -- Andy Armstrong, Hexten
Re: avoid running CPAN as root
dhu...@hudes.org wrote: While the idea of using sudo only at install time is nice, there are two problems: 1. Some modules require extra privileges at test time 2. Far more impact is that sudo requires that you enter your password each time you invoke it. Therefore you will have to enter your password once for each module you install. On any given module you may have 3 or 4 prerequisites; if you update your modules to current once a quarter, you will have dozens to install. Given the way that CPAN.pm operates you can't just keep going and add each blib to your @INC and only do one sudo session to run all the individual make installs. My sudo (on latest ubuntu) does not appear to work like that. If I run the sudo commands quickly enough it does not reprompt. I think this is passwd_timeout or timestamp_timeout in sudoers file. Martin -- Martin J. Evans Easysoft Limited http://www.easysoft.com # from Shawn H Corey # on Sunday 10 January 2010 08:11: $ sudo cpan This exposes your system to any bugs in the test suite (an accidental `rm -rf /` has happened before) with root privileges. With a modern CPAN client, you can set it to use sudo only at install time with the make_install_make_command and mbuild_install_build_command knobs. http://learnperl.scratchcomputing.com/tutorials/configuration/ --Eric -- perl -e 'srand; print join( ,sort({rand() 0.5} qw(sometimes it is important to be consistent)));' --- http://scratchcomputing.com ---
Re: avoid running CPAN as root
On 12 Jan 2010, at 17:23, Dana Hudes wrote: Rebuilding a few hundred modules will take more than 15 minutes, especially if you have to download each one. I suppose you could modify sudoes to make it 8 hours. The timeout is reset each time sudo is used - so a shorter timeout is usually OK. -- Andy Armstrong, Hexten
Re: avoid running CPAN as root
Andy Armstrong writes: On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote: sudo requires that you enter your password each time you invoke it. Often sudo will be configured with a 15 minute grace period which means you only need to authenticate for the first make install / ./Build install. Though that can be irritating if your install hangs at that point, waiting for you to provide a password. An alternative is to pre-authenticate sudo with the -v flag, so that even the first install will become root without prompting: % sudo -v cpan Acme::MetaSyntactic Smylers -- Watch fiendish TV quiz 'Only Connect' (some questions by me) Mondays at 20:30 on BBC4, or iPlayer: http://www.bbc.co.uk/programmes/b00lskhg
Re: avoid running CPAN as root
On Tue, Jan 12, 2010 at 08:59:46AM -0800, dhu...@hudes.org wrote: While the idea of using sudo only at install time is nice, there are two problems: 1. Some modules require extra privileges at test time This is true. Have a look to see if CPAN distprefs will let you temporarily override the 'make test' command for them. 2. Far more impact is that sudo requires that you enter your password each time you invoke it. The default configuration is to only require it the first time you invoke it, and then store it for a certain amount of time for re-use. -- David Cantrell | Hero of the Information Age Blessed are the pessimists, for they test their backups
Re: avoid running CPAN as root
Smylers wrote: Andy Armstrong writes: On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote: sudo requires that you enter your password each time you invoke it. Often sudo will be configured with a 15 minute grace period which means you only need to authenticate for the first make install / ./Build install. Though that can be irritating if your install hangs at that point, waiting for you to provide a password. An alternative is to pre-authenticate sudo with the -v flag, so that even the first install will become root without prompting: % sudo -v cpan Acme::MetaSyntactic Smylers Seems like it would be nice if the build system understood appropriate behavior for the root user and acted accordingly. That is: given superuser access privileges should be lowered by default during the build process, but elevated for install. I don't think it's reasonable to expect either module authors or end users to know the vagaries of every possible flag. And, even if you argue it _is_ reasonable, it's still not going to happen. The right thing should be done by the software as much as possible. Austin
Re: avoid running CPAN as root
# from Austin Schutz # on Tuesday 12 January 2010 10:08: Seems like it would be nice if the build system understood appropriate behavior for the root user and acted accordingly. That is: given superuser access privileges should be lowered by default during the build process, but elevated for install. s/build system/CPAN client/ If the build system gets too smart, it interferes with the cpan client and anyway: someone always thinks that whatever decision was the wrong one (which it usually is because given two wrong choices...) --Eric -- Turns out the optimal technique is to put it in reverse and gun it. --Steven Squyres (on challenges in interplanetary robot navigation) --- http://scratchcomputing.com ---
Re: avoid running CPAN as root
Excerpts from dhudes's message of Tue Jan 12 11:59:46 -0500 2010: 2. Far more impact is that sudo requires that you enter your password each time you invoke it. No it doesn't. Read sudo(8). By default, you only have to enter it once every 15 minutes. hdp.
Re: avoid running CPAN as root
Rebuilding a few hundred modules will take more than 15 minutes, especially if you have to download each one. I suppose you could modify sudoes to make it 8 hours. --Original Message-- From: Andy Armstrong To: dhu...@hudes.org Cc: Eric Wilhelm Cc: module-authors@perl.org Sent: Jan 12, 2010 12:14 PM Subject: Re: avoid running CPAN as root On 12 Jan 2010, at 16:59, dhu...@hudes.org wrote: While the idea of using sudo only at install time is nice, there are two problems: 1. Some modules require extra privileges at test time Do they? I've got 1213 distributions installed on this laptop. All using cpan and none of them required elevated privileges during testing. Which modules do this? 2. Far more impact is that sudo requires that you enter your password each time you invoke it. Therefore you will have to enter your password once for each module you install. On any given module you may have 3 or 4 prerequisites; if you update your modules to current once a quarter, you will have dozens to install. Given the way that CPAN.pm operates you can't just keep going and add each blib to your @INC and only do one sudo session to run all the individual make installs. Often sudo will be configured with a 15 minute grace period which means you only need to authenticate for the first make install / ./Build install. -- Andy Armstrong, Hexten Sent from my BlackBerry® smartphone with Nextel Direct Connect
Re: avoid running CPAN as root
Dana Hudes wrote: Rebuilding a few hundred modules will take more than 15 minutes, especially if you have to download each one. I suppose you could modify sudoes to make it 8 hours. Once you start cpan with sudo, it will continue to run until you quit. Any program started with sudo runs as root unitl it finishes regardless of how long it takes. What it seems you are doing is starting each separately. Instead, put them in a shell script and run it with sudo. And never put sudo in a shell script; that is a security breach. -- Just my 0.0002 million dollars worth, Shawn Programming is as much about organization and communication as it is about coding. I like Perl; it's the only language where you can bless your thingy.