Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-20 Thread William Hubbs
On Sun, Feb 18, 2018 at 11:07:59AM +0900, Benda Xu wrote:
> Hi William,
> 
> William Hubbs  writes:
> 
> > The second change is that baselayout is taking ownership of most of the
> > directories it creates. This includes all directories in / and /usr
> > excluding /lib* and /usr/lib*. Once we drop support for SYMLINK_LIB,
> > baselayout will take ownership of /lib* and /usr/lib* as well.
> 
> This is an abrupt change that will affect many users.  I suggest a
> lengthy explanation (blog post, wiki page or important emails) to be
> attached as a reference in this news item.  
> 
> So a user will be able to study the rationales behind this change before
> unmasking baselayout-2.5 on their machines.

Baselayout currently goes out of its way not to own these, but there's
no rationale documented anywhere for why it does this.

From what I've seen in some testing I've done, it shouldn't break
anything. I will test again before I actually push the release on
another machine.

William



signature.asc
Description: Digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-17 Thread Benda Xu
Hi William,

William Hubbs  writes:

> The second change is that baselayout is taking ownership of most of the
> directories it creates. This includes all directories in / and /usr
> excluding /lib* and /usr/lib*. Once we drop support for SYMLINK_LIB,
> baselayout will take ownership of /lib* and /usr/lib* as well.

This is an abrupt change that will affect many users.  I suggest a
lengthy explanation (blog post, wiki page or important emails) to be
attached as a reference in this news item.  

So a user will be able to study the rationales behind this change before
unmasking baselayout-2.5 on their machines.

Yours,
Benda


signature.asc
Description: PGP signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-17 Thread Benda Xu
Hi William,

William Hubbs  writes:

> here is a link to an old, but brief discussion about this.
>
> https://archives.gentoo.org/gentoo-dev/message/2fc1f62c7cf225787fe52f4dace7368c
>
> I think we have talked about this several other times, but not done
> anything about it.
>
> On Thu, Feb 08, 2018 at 10:17:59PM +, M. J. Everitt wrote:
>> 
>> Pardon my ignorance, but does that mean you are essentially relying on
>> file system features/permissions and security settings to enforce
>> correct use of system tools?! Or is this just to make sudo/etc commands
>> 'more convenient' ?!
>
> The basic problem is that what goes in *bin vs *sbin is quite arbitrary
> and the best way to fix it is to make all of the *bin and *sbin
> directories accessible to all users.
>
> You can't rely on a path to separate system-only programs from
> programs that users might want to run, and some programs can be run by
> users to look around but not change things.
>
> Here is one non-gentoo source discussing this.
>
> http://lists.busybox.net/pipermail/busybox/2010-December/074114.html
>
> Even if we don't adopt the usr merge in Gentoo Linux as default, removing 
> *sbin
> from the path doesn't make sense.

If there references are useful for users to understand why this decision
and potential breakage is made, it might be a good idea to append the
links to the news item.

Yours,
Benda


signature.asc
Description: PGP signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes (round 2)

2018-02-13 Thread Peter Stuge
William Hubbs wrote:
> The first change is that ROOTPATH is no longer set. This means all of
> the *sbin directories will be added to the default path for all users
> instead of just the root user.

Maybe add a sentence about why this is changing or even neccessary,
to avoid perception of weakened security.


//Peter



[gentoo-dev] newsitem: baselayout 2.5 changes (round 2)

2018-02-12 Thread William Hubbs
All,

here is an updated newsitem based on the comments I have received so
far.

William

Title: baselayout 2.5 updates
Author: William Hubbs 
Posted: 2018-02-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: 

signature.asc
Description: Digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-10 Thread Michał Górny
W dniu sob, 10.02.2018 o godzinie 10∶49 +, użytkownik Mike Auty
napisał:
> On 08/02/18 20:55, Mike Gilbert wrote:
> > However, there are plenty of examples of commands that normal users
> > may run from sbin.
> 
> Hiya,
> 
> I'm not really for or against the idea, but whenever the justification
> for something is "there are plenty of examples" it's really helpful to
> have a number of them listed so that people can see what actual benefit
> is being provided by the change.  Could you name a few of the most
> common/important examples so that it's part of the discussion please?
> 

blkid
btrfs
iwconfig
swapon

I think historically also 'ifconfig' and 'ping' were in sbin.

Sure, those commands are often used by root. But I don't need elevated
privileges to want to know my free space or IP address.

-- 
Best regards,
Michał Górny




Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-10 Thread Mike Auty
On 08/02/18 20:55, Mike Gilbert wrote:
> However, there are plenty of examples of commands that normal users
> may run from sbin.
Hiya,

I'm not really for or against the idea, but whenever the justification
for something is "there are plenty of examples" it's really helpful to
have a number of them listed so that people can see what actual benefit
is being provided by the change.  Could you name a few of the most
common/important examples so that it's part of the discussion please?

Mike  5:)



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Rich Freeman
On Thu, Feb 8, 2018 at 6:25 PM, Michael Orlitzky  wrote:
> On 02/08/2018 06:12 PM, William Hubbs wrote:
>>
>> There is no bug here. The problem, as I said before in this thread, is
>> that what goes in *sbin is arbitrary, and as Rich said, if you are
>> relying on the path to prevent a non-root user from running something
>> that only root should run, you are doing it wrong. All the user has to
>> do is type a full path to a command and it will be run.
>
> The FHS says /usr/sbin is for "binaries used exclusively by the system
> administrator." It's not arbitrary, and the test for what doesn't belong
> there is obvious: if a regular user needs something in /usr/sbin, then
> we put it in the wrong place. Adding /usr/sbin to PATH will hide the
> fact that we put it in the wrong place, but it will still be in the
> wrong place.
>

Sounds like a good reason to refer bugs upstream, and hide them from
users in the meantime, like basically every other distro does.

-- 
Rich



Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Michael Orlitzky
On 02/08/2018 06:12 PM, William Hubbs wrote:
> 
> There is no bug here. The problem, as I said before in this thread, is
> that what goes in *sbin is arbitrary, and as Rich said, if you are
> relying on the path to prevent a non-root user from running something
> that only root should run, you are doing it wrong. All the user has to
> do is type a full path to a command and it will be run.

The FHS says /usr/sbin is for "binaries used exclusively by the system
administrator." It's not arbitrary, and the test for what doesn't belong
there is obvious: if a regular user needs something in /usr/sbin, then
we put it in the wrong place. Adding /usr/sbin to PATH will hide the
fact that we put it in the wrong place, but it will still be in the
wrong place.



Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread William Hubbs
On Thu, Feb 08, 2018 at 05:49:52PM -0500, Michael Orlitzky wrote:
> On 02/08/2018 05:33 PM, Rich Freeman wrote:
> > 
> > There are actually quite a few binaries in /sbin and /usr/sbin which
> > can be useful for non-root users.  Sure, we could go through there
> > carefully and move stuff to /bin but honestly doing what everybody
> > else does and just sticking /sbin in the default path makes more
> > sense.
> 
> Yeah hiding the bug is easier than fixing it, but has the downside that
> the bug doesn't get fixed.

There is no bug here. The problem, as I said before in this thread, is
that what goes in *sbin is arbitrary, and as Rich said, if you are
relying on the path to prevent a non-root user from running something
that only root should run, you are doing it wrong. All the user has to
do is type a full path to a command and it will be run.

William



signature.asc
Description: Digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Michael Orlitzky
On 02/08/2018 05:33 PM, Rich Freeman wrote:
> 
> There are actually quite a few binaries in /sbin and /usr/sbin which
> can be useful for non-root users.  Sure, we could go through there
> carefully and move stuff to /bin but honestly doing what everybody
> else does and just sticking /sbin in the default path makes more
> sense.

Yeah hiding the bug is easier than fixing it, but has the downside that
the bug doesn't get fixed.



Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread M. J. Everitt
On 08/02/18 22:33, William Hubbs wrote:
> All,
>
> here is a link to an old, but brief discussion about this.
>
> https://archives.gentoo.org/gentoo-dev/message/2fc1f62c7cf225787fe52f4dace7368c
>
> I think we have talked about this several other times, but not done
> anything about it.
>
> On Thu, Feb 08, 2018 at 10:17:59PM +, M. J. Everitt wrote:
>>
>> On 08/02/18 22:13, William Hubbs wrote:
>>> On Thu, Feb 08, 2018 at 03:55:02PM -0500, Mike Gilbert wrote:
 However, there are plenty of examples of commands that normal users
 may run from sbin. Moving these commands often causes problems for
 packages that either hard code absolute paths, or detect paths at
 build time. I think it would be less disruptive to add sbin to PATH
 than it would be to try and "fix" all the packages that install
 commands in the wrong place.
>>> There are no reasons to remove the *sbin directories from PATH; I know
>>> of no other distros that do this.
>>>
>>> William
>>>
>> Pardon my ignorance, but does that mean you are essentially relying on
>> file system features/permissions and security settings to enforce
>> correct use of system tools?! Or is this just to make sudo/etc commands
>> 'more convenient' ?!
> The basic problem is that what goes in *bin vs *sbin is quite arbitrary
> and the best way to fix it is to make all of the *bin and *sbin
> directories accessible to all users.
>
> You can't rely on a path to separate system-only programs from
> programs that users might want to run, and some programs can be run by
> users to look around but not change things.
>
> Here is one non-gentoo source discussing this.
>
> http://lists.busybox.net/pipermail/busybox/2010-December/074114.html
>
> Even if we don't adopt the usr merge in Gentoo Linux as default, removing 
> *sbin
> from the path doesn't make sense.
>
> William
>
Thank you William, and also rich for your explanations! I do see where
you're coming from now.

Michael.



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread William Hubbs
All,

here is a link to an old, but brief discussion about this.

https://archives.gentoo.org/gentoo-dev/message/2fc1f62c7cf225787fe52f4dace7368c

I think we have talked about this several other times, but not done
anything about it.

On Thu, Feb 08, 2018 at 10:17:59PM +, M. J. Everitt wrote:
> 
> 
> On 08/02/18 22:13, William Hubbs wrote:
> > On Thu, Feb 08, 2018 at 03:55:02PM -0500, Mike Gilbert wrote:
> >> However, there are plenty of examples of commands that normal users
> >> may run from sbin. Moving these commands often causes problems for
> >> packages that either hard code absolute paths, or detect paths at
> >> build time. I think it would be less disruptive to add sbin to PATH
> >> than it would be to try and "fix" all the packages that install
> >> commands in the wrong place.
> > There are no reasons to remove the *sbin directories from PATH; I know
> > of no other distros that do this.
> >
> > William
> >
> Pardon my ignorance, but does that mean you are essentially relying on
> file system features/permissions and security settings to enforce
> correct use of system tools?! Or is this just to make sudo/etc commands
> 'more convenient' ?!

The basic problem is that what goes in *bin vs *sbin is quite arbitrary
and the best way to fix it is to make all of the *bin and *sbin
directories accessible to all users.

You can't rely on a path to separate system-only programs from
programs that users might want to run, and some programs can be run by
users to look around but not change things.

Here is one non-gentoo source discussing this.

http://lists.busybox.net/pipermail/busybox/2010-December/074114.html

Even if we don't adopt the usr merge in Gentoo Linux as default, removing *sbin
from the path doesn't make sense.

William

> 
> MJE
> 





signature.asc
Description: Digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Rich Freeman
On Thu, Feb 8, 2018 at 5:17 PM, M. J. Everitt  wrote:
>
>
> On 08/02/18 22:13, William Hubbs wrote:
>> On Thu, Feb 08, 2018 at 03:55:02PM -0500, Mike Gilbert wrote:
>>> However, there are plenty of examples of commands that normal users
>>> may run from sbin. Moving these commands often causes problems for
>>> packages that either hard code absolute paths, or detect paths at
>>> build time. I think it would be less disruptive to add sbin to PATH
>>> than it would be to try and "fix" all the packages that install
>>> commands in the wrong place.
>> There are no reasons to remove the *sbin directories from PATH; I know
>> of no other distros that do this.
>>
>> William
>>
> Pardon my ignorance, but does that mean you are essentially relying on
> file system features/permissions and security settings to enforce
> correct use of system tools?! Or is this just to make sudo/etc commands
> 'more convenient' ?!

If you're depending on binaries not being in the PATH for security,
you're doing it wrong.  If you're depending on filesystem
features/permissions (other than the SUID bit or POSIX capability
settings) for security when it comes to performing privileged
operations, you're also doing it wrong.

There are actually quite a few binaries in /sbin and /usr/sbin which
can be useful for non-root users.  Sure, we could go through there
carefully and move stuff to /bin but honestly doing what everybody
else does and just sticking /sbin in the default path makes more
sense.

If you're typing p to find a command then adding an extra ~20
commands to the ~850 that are listed on my system isn't going to break
the bank.

-- 
Rich



Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Michael Orlitzky
On 02/08/2018 05:13 PM, William Hubbs wrote:
> 
> There are no reasons to remove the *sbin directories from PATH; I know
> of no other distros that do this.

The first reason that comes to mind is that when I type something like
p to remind me of a command name, I don't need to see 50 programs
that I'm not allowed to run in the list.



Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread M. J. Everitt


On 08/02/18 22:13, William Hubbs wrote:
> On Thu, Feb 08, 2018 at 03:55:02PM -0500, Mike Gilbert wrote:
>> However, there are plenty of examples of commands that normal users
>> may run from sbin. Moving these commands often causes problems for
>> packages that either hard code absolute paths, or detect paths at
>> build time. I think it would be less disruptive to add sbin to PATH
>> than it would be to try and "fix" all the packages that install
>> commands in the wrong place.
> There are no reasons to remove the *sbin directories from PATH; I know
> of no other distros that do this.
>
> William
>
Pardon my ignorance, but does that mean you are essentially relying on
file system features/permissions and security settings to enforce
correct use of system tools?! Or is this just to make sudo/etc commands
'more convenient' ?!

MJE



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread William Hubbs
On Thu, Feb 08, 2018 at 03:55:02PM -0500, Mike Gilbert wrote:
> On Thu, Feb 8, 2018 at 3:41 PM, Ulrich Mueller  wrote:
> >> On Thu, 8 Feb 2018, Mike Gilbert wrote:
> >
> >> Eliminating ROOTPATH seems like a significant change. Was this
> >> officially discussed somewhere that I missed?
> >
> >> I actually support the change, but other people should be given the
> >> chance to complain about it on the record.

It has been a long time, but I believe I brought it up at some point in
the past. I'll look for a link in a few and reply with it if I find it.

> > It contradicts the FHS, which says that /sbin contains "root-only
> > commands" and that "ordinary users should not have to place any of the
> > sbin directories in their path." [1]
> 
> That would be fine if we actually followed the recommendation
> mentioned in the first half of that footnote.
> 
> "Deciding what things go into "sbin" directories is simple: if a
> normal (not a system administrator) user will ever run it directly,
> then it must be placed in one of the "bin" directories."
> 
> However, there are plenty of examples of commands that normal users
> may run from sbin. Moving these commands often causes problems for
> packages that either hard code absolute paths, or detect paths at
> build time. I think it would be less disruptive to add sbin to PATH
> than it would be to try and "fix" all the packages that install
> commands in the wrong place.

There are no reasons to remove the *sbin directories from PATH; I know
of no other distros that do this.

William



signature.asc
Description: Digital signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Mike Gilbert
On Thu, Feb 8, 2018 at 3:41 PM, Ulrich Mueller  wrote:
>> On Thu, 8 Feb 2018, Mike Gilbert wrote:
>
>> Eliminating ROOTPATH seems like a significant change. Was this
>> officially discussed somewhere that I missed?
>
>> I actually support the change, but other people should be given the
>> chance to complain about it on the record.
>
> It contradicts the FHS, which says that /sbin contains "root-only
> commands" and that "ordinary users should not have to place any of the
> sbin directories in their path." [1]

That would be fine if we actually followed the recommendation
mentioned in the first half of that footnote.

"Deciding what things go into "sbin" directories is simple: if a
normal (not a system administrator) user will ever run it directly,
then it must be placed in one of the "bin" directories."

However, there are plenty of examples of commands that normal users
may run from sbin. Moving these commands often causes problems for
packages that either hard code absolute paths, or detect paths at
build time. I think it would be less disruptive to add sbin to PATH
than it would be to try and "fix" all the packages that install
commands in the wrong place.



Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Ulrich Mueller
> On Thu, 8 Feb 2018, Mike Gilbert wrote:

> Eliminating ROOTPATH seems like a significant change. Was this
> officially discussed somewhere that I missed?

> I actually support the change, but other people should be given the
> chance to complain about it on the record.

It contradicts the FHS, which says that /sbin contains "root-only
commands" and that "ordinary users should not have to place any of the
sbin directories in their path." [1]

Ulrich


[1] 
http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s16.html#ftn.idm236092603392


pgpZnTybpmk99.pgp
Description: PGP signature


Re: [gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread Mike Gilbert
On Thu, Feb 8, 2018 at 2:52 PM, William Hubbs  wrote:
> All,
>
> here is a proposed newsitem for baselayout 2.5.
>
> Let me know what you think, including whether these are newsitem-worthy
> or not.

Eliminating ROOTPATH seems like a significant change. Was this
officially discussed somewhere that I missed?

I actually support the change, but other people should be given the
chance to complain about it on the record.



[gentoo-dev] newsitem: baselayout 2.5 changes

2018-02-08 Thread William Hubbs
All,

here is a proposed newsitem for baselayout 2.5.

Let me know what you think, including whether these are newsitem-worthy
or not.

Thanks,

William

Title: baselayout 2.5 updates
Author: William Hubbs 
Posted: 2018-02-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: 

signature.asc
Description: Digital signature