Skip to content
Snippets Groups Projects

Draft: Rework privilege escalation tool selection and create a run0 systemd subpackage

Open Draft: Rework privilege escalation tool selection and create a run0 systemd subpackage
JustSoup321/pmaports:privileges into master
2 unresolved threads
Open Aster Boese requested to merge JustSoup321/pmaports:privileges into master
2 unresolved threads

Changing the privilege escalation tool selection to use a virtual package allows for the possibility of installing without such tool if needed. (e.g. a managed system where you don't need the users to have access to doas)

This MR also splits run0 from systemd so that it isn't automatically installed when using systemd.

Merge request reports

Members who can merge are allowed to add commits.

Merge request pipeline #214603 failed

Stage: lint
Stage: build

Merge request pipeline failed for f48a9a3a

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
main/postmarketos-base/APKBUILD
159 158 amove etc/udev/udev.conf
160 159 }
161 160
161 _privilege_doas() {
162 pkgdesc="Use doas as the privilege escalation tool."
163 depends="doas doas-sudo-shim"
  • achill (fossdd)
    achill (fossdd) @fossdd started a thread on the diff
    • main/postmarketos-base/APKBUILD
    94 91 }
    95 92
    96 93 package() {
    94 # Privilege escalation tools are provided by a subpackage in this
    95 # APKBUILD and won't exist when this is evaluated at the top level.
    96 # It's moved into this function to work around it.
    97 depends="$depends $pkgname-privilege"
    • achill (fossdd)
      achill (fossdd) @fossdd ·
      Developer

      we could also ask the user with _pmb_select. altough im not sure if the average pmbootstrap user wants to configure that?

    • Aster Boese
      Aster Boese @JustSoup321 ·
      Author Developer

      I didn't add that since we don't do that already and only "officially" support doas. If there is widespread support for supporting more than one then we could do that.

    • achill (fossdd)
      achill (fossdd) @fossdd ·
      Developer

      Hmmm, then I'm not even sure adding this much complexity to the APKBUILD is worth it tbh..

    • Aster Boese
      Aster Boese @JustSoup321 ·
      Author Developer

      The complexity is basically just so an install without such a tool can be created. We could theoretically only do doas and none, but that would break existing installs using sudo.

    • achill (fossdd)
      achill (fossdd) @fossdd ·
      Developer

      I thought that since doas is currently in _pmb_recommends, a single apk add !doas run0 would suffice, no?

    • Aster Boese
      Aster Boese @JustSoup321 ·
      Author Developer

      postmarketos-base depends on sudo-virt, which means that there is no way to create an install without a sudo tool currently. This is solved by adding doas-sudo-shim. Theoretically an empty package could be created that provides sudo-virt, but that sounds error-prone.

      I also didn't make run0 provide sudo-virt because doas doesn't either. Unless somebody makes a run0-sudo-shim I don't think that is a good idea.

      Edited by Aster Boese
    • achill (fossdd)
      achill (fossdd) @fossdd ·
      Developer

      Can we move sudo-virt to _pmb_recommends?

    • Aster Boese
      Aster Boese @JustSoup321 ·
      Author Developer

      I also considered that (and also made that the first implementation), but my biggest worry is that a package providing sudo-virt would accidentally get uninstalled in some way and there wouldn't be a way to get another one since you don't have sudo anymore and we lock the root account.

      Edited by Aster Boese
    • Newbyte
      Newbyte @Newbyte ·
      Maintainer

      Is there any practical reason to not want doas-sudo-shim installed?

    • Aster Boese
      Aster Boese @JustSoup321 ·
      Author Developer

      Other than retraining muscle memory to use doas? Not really as far as I know.

    • achill (fossdd)
      achill (fossdd) @fossdd ·
      Developer

      For example to use doas and sudo simountanously.

    • Aster Boese
      Aster Boese @JustSoup321 ·
      Author Developer

      Hmm... that is actually a fair point. I'll see if I can come up with something that doesn't conflict.

    • Please register or sign in to reply
  • achill (fossdd)
  • Jane Rachinger
  • Jane Rachinger
    Jane Rachinger @jane400 ·
    Developer

    otherwise LGTM, haven't tested it yet.

  • Aster Boese added 2 commits

    added 2 commits

    • 5edc6085 - extra-repos/systemd/systemd: add run0 subpackage
    • 3f32e0d8 - main/postmarketos-base: rework privilege escalation tool selection

    Compare with previous version

  • Aster Boese added 12 commits

    added 12 commits

    • 3f32e0d8...eacfb4da - 10 commits from branch postmarketOS:master
    • df86a5dc - extra-repos/systemd/systemd: add run0 subpackage
    • f48a9a3a - main/postmarketos-base: rework privilege escalation tool selection

    Compare with previous version

  • Aster Boese marked this merge request as draft

    marked this merge request as draft

  • The Friendly Bot added status::mr-stale label

    added status::mr-stale label

  • The Friendly Bot
    The Friendly Bot @gitlab-bot ·
    Developer

    Sorry to bother you @JustSoup321,

    but we've detected that this merge request hasn't seen any recent activity. If you need help, want to discuss your approach with developers, or you are all done and this is waiting for review, you can ping @postmarketOS. You can also ask on matrix in #devel:postmarketos.org or #postmarketos-devel on OFTC.

    Thanks for your contribution.

    • Please register or sign in to reply