[Exherbo-dev] ROOTPATH, pam_env and profile.env

Saleem Abdulrasool compnerd at compnerd.org
Sun Feb 17 22:26:52 UTC 2013


On Fri, 15 Feb 2013, Benedikt Morbach wrote:

> On Sat, Feb 9, 2013 at 11:46 PM, Saleem Abdulrasool
> <compnerd at compnerd.org>wrote:
> 
> > What you are proposing strictly violates the FHS.  It explicitly states
> > that
> > /sbin and /usr/sbin are to be included in PATH for the root user *only*.
> >  If you
> > wish to ignore this recommendation from the FHS, please state this
> > clearly, and
> > ideally, provide some justification.  Effectively, what you are proposing
> > would
> > merge /bin and /sbin, /usr/bin and /usr/sbin.  It seems that the more
> > efficient
> > way to do this would be to just do that -- merge them and delete /sbin and
> > /usr/sbin.
> >
> I'd be in favor of that.
> On a modern system, you can have any set of capabilities and thus be a
> subset of root.
> With newer kernels (from 3.8 onward, iirc) you can even create a user
> namespace as a
> unprivileged user and be your own root in there. (you get all caps)
> 
> Tools in sbin might over time grow features that are useful for
> unprivileged users too.
> Moving things is difficult because they may be hardcoded in scripts and you
> get to add a symlink for every binary.
> 
> I also think that it would be cleaner to just merge the directories, then
> we just have to
> add the links to skeleton-filesystem-layout.
> 
> See also
> https://lists.fedoraproject.org/pipermail/devel/2011-October/158845.html

There doesn't seem to have been any objections to performing the merge of /sbin,
/usr/sbin merge to /bin and /usr/bin respectively.  It would be nice to have
that documented along with an explanation to indicate what we do and why we do
it.

Someone stepping up to take charge of making the appropriate changes would be
nice.  It would require going over existing packages and ensuring that
appropriate patches are applied and upstreamed for changing the paths (e.g. the
ipsec plugin for openl2tpd uses a hardcoded path to setkeys and that will need
to be changed to a autotool'ed parameter).

Once the packages are patched, it seems just a matter of updating the configure
options in econf and any exheres which override the paths.

-- 
Saleem Abdulrasool
compnerd (at) compnerd (dot) org



More information about the Exherbo-dev mailing list