Ed_P wrote: ↑09 Oct 2022, 20:46
Would having the folder it's in only being accessible by root work also?
It sure would.
To be honest, I thought /sbin and /usr/sbin were meant to be only accessible for root.
001-core.xzm says otherwise:
Code: Select all
root@porteus:/mnt/live/memory/images/001-core.xzm# ls -od sbin/ usr/sbin/
drwxr-xr-x 2 root 4575 2022-07-23 11:21 sbin/
drwxr-xr-x 2 root 4773 2022-07-23 11:21 usr/sbin/
I think, when we want to change that, all modules would have to respect the different permissions. And since most packages would have /sbin or /usr/sbin with the same permissions as 001-core.xzm has, that approach would fail since the last activated module would overwrite the permissions of first activated modules…
But there would me not that much difference of a guest user in trying to run programs he should not run. Especially if he not knows of the reasons why.
Cave! I renamed my newest local 011-slapt-get modules to keep track of the version numbers.
What 011-slapt-get-0.11.6-x86_64-2gv
_2020.10.07.xzm and 011-slapt-get-0.11.6-x86_64-2gv
_2020.10.09.xzm are about should be obvious.
babam changed not only getmod itself but also its location:
Code: Select all
root@porteus:/Porteus_modules# lsxzm 011-slapt-get-0.11.6-x86_64-2gv_2020.10.07.xzm |grep getmod
/usr/sbin/getmod
root@porteus:/Porteus_modules# lsxzm 011-slapt-get-0.11.6-x86_64-2gv_2020.10.09.xzm |grep getmod
/usr/bin/getmod
from V2020.10.07 in /usr/
sbin/getmod to /usr/bin/getmod in V2020.10.09
We know that slapt-get would not really work when executed by a non-root user. At the moment you could make yourself a module containing slapt-get - but me thinks most users would prefer downloading babam's 011-slapt-get-* module since getmod is a very good script wrapper, very useful for Porteus users.
babam changed getmod in asking for the root password when started by a non-root user since V2020.10.09 :
Code: Select all
# Switch to root:
if [ `whoami` != "root" ]; then
sudo -E -p "Enter root's password: " "$0" "$@"
exit
fi
So, we should think if what would be the best approach for now:
My humble suggestions:
keep getmod in /usr/sbin/ since it is a system related script. Keep it with the ability to ask for the root password when its not started as user root.
Change slapt-get's permission inside all upcoming 011-slapt-get-* modules prior the module creation like this
Let us presume the working directory that contains all files for the module creation is /tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10 when the current date is 2020.10.10 (YYYY.MM.DD):
Code: Select all
root@porteus:/Porteus_modules# mkdir /tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10
root@porteus:/Porteus_modules# xzm2dir 011-slapt-get-0.11.6-x86_64-2gv_2020.10.09.xzm /tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10/
Parallel unsquashfs: Using 8 processors
13 inodes (14 blocks) to write
[=================================================================|] 14/14 100%
created 9 files
created 23 directories
created 4 symlinks
created 0 devices
created 0 fifos
created 0 sockets
root@porteus:/Porteus_modules# cd /tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10/usr/sbin/
root@porteus:/tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10/usr/sbin# chmod og-x slapt-get
root@porteus:/tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10/usr/sbin# ls -o slapt-get
-rwxr--r-- 1 root 32760 2022-07-11 10:41 slapt-get
root@porteus:/tmp/011-slapt-get-0.11.6-x86_64-2gv_2020.10.10/usr/sbin# cd /tmp/
root@porteus:/tmp# dir2xzm 011-slapt-get-0.11.6-x86_64-2gv_2020.10.10/ 011-slapt-get-0.11.6-x86_64-2gv_2020.10.10_rava.xzm
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on 011-slapt-get-0.11.6-x86_64-2gv_2020.10.10_rava.xzm, block size 262144.
[=================================================================-] 15/15 100%
Exportable Squashfs 4.0 filesystem, xz compressed, data block size 262144
compressed data, compressed metadata, compressed fragments,
compressed xattrs, compressed ids
duplicates are removed
Filesystem size 633.09 Kbytes (0.62 Mbytes)
33.18% of uncompressed filesystem size (1907.94 Kbytes)
Inode table size 494 bytes (0.48 Kbytes)
39.97% of uncompressed inode table size (1236 bytes)
Directory table size 454 bytes (0.44 Kbytes)
56.82% of uncompressed directory table size (799 bytes)
Number of duplicate files found 0
Number of inodes 36
Number of files 9
Number of fragments 1
Number of symbolic links 4
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 23
Number of ids (unique uids + gids) 1
Number of uids 1
root (0)
Number of gids 1
root (0)
Now test that module, shall we. My only changes from V2020.10.09 to my theoretical V2020.10.10 are the permissions of /usr/sbin/slapt-get into "root.root -rwxr--r--"
First deactivate your 011-slapt-get-* module if you have one activated in your system and activate the new test module. Recall that I renamed all newer versions according to their version.
Code: Select all
root@porteus:/tmp# deactivate 011-slapt-get-0.11.6-x86_64-2gv_2020.10.09.xzm
Updating shared library links: /sbin/ldconfig
root@porteus:/tmp# slapt-get
-su: slapt-get: command not found
root@porteus:/tmp# activate 011-slapt-get-0.11.6-x86_64-2gv_2020.10.10_rava.xzm
Updating shared library links: /sbin/ldconfig
Now let's test it for user guest
Code: Select all
guest@porteus:~$ getmod
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Enter root's password:
sudo: a password is required
I pressed Ctrl+C at the password prompt…
Now the test as guest for slapt-get:
Code: Select all
guest@porteus:~$ slapt-get
bash: slapt-get: command not found
guest@porteus:~$ /usr/sbin/slapt-get
bash: /usr/sbin/slapt-get: Permission denied
guest@porteus:~$ ls -o /usr/sbin/slapt-get
-rwxr--r-- 1 root 32760 2022-07-11 10:41 /usr/sbin/slapt-get
In my book that's the best solution for now.
getmod itself asks for root password since babam coded it like this since V2010-10-09
slapt-get itself is no longer executable for non-root users when changes applied as shown above.
Of course slapt-get still works for root, or for getmod, since now getmod runs under user root or not at all since V2010-10-09
Examples:
slapt-get as root
Code: Select all
root@porteus:~# file /usr/sbin/slapt-get
/usr/sbin/slapt-get: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped
root@porteus:~# ls -o /usr/sbin/slapt-get
-rwxr--r-- 1 root 32760 2022-07-11 10:41 /usr/sbin/slapt-get
root@porteus:~# slapt-get -u
Retrieving package data [http://slackware.uk/salix/x86_64/slackware-15.0/]... 0Done
Retrieving patch list [http://slackware.uk/salix/x86_64/slackware-15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/slackware-15.0/]... Done
Retrieving checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/]...Done
Verifying checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/slackware-15.0/]... Done
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Retrieving patch list [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Retrieving checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Verifying checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/15.0/]...Done
Retrieving patch list [http://slackware.uk/salix/x86_64/15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/15.0/]...Done
Retrieving checksum signature [http://slackware.uk/salix/x86_64/15.0/]...Done
Verifying checksum signature [http://slackware.uk/salix/x86_64/15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/15.0/]...Done
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/extra-15.0/]...Done
Retrieving patch list [http://slackware.uk/salix/x86_64/extra-15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/extra-15.0/]...Done
Retrieving checksum signature [http://slackware.uk/salix/x86_64/extra-15.0/]... Done
Verifying checksum signature [http://slackware.uk/salix/x86_64/extra-15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/extra-15.0/]...Done
Reading Package Lists...Done
root@porteus:~#
getmod as root
Code: Select all
root@porteus:~# getmod
getmod: A simple wrapper for slapt-get to build Porteus module.
getmod [-c] [-u] [-d|-m|-n PACKAGE_NAME] [-s PATTERN]
Options:
-c: Purge cached packages
-d: Download only
-m: Download and build module
-n: Download and build module without dependencies
-s: Search package
-u: Update database
-h: This usage
To change the temporary directory (default is /tmp), pass the TMP variable.
# TMP=/path/to/directory getmod -m packagename
Temporary directory is for storing downloaded packages, installing and converting to modules.
root@porteus:~# getmod -u
Retrieving package data [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Retrieving checksum list [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/15.0/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/15.0/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/15.0/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/15.0/]...Cached
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/extra-15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/extra-15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Reading Package Lists...Done
getmod as guest:
Code: Select all
guest@porteus:~$ getmod -u
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Enter root's password:
Retrieving package data [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Retrieving checksum list [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/slackware-15.0/]...Cached
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/slackware-15.0/extra/]...Done
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/15.0/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/15.0/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/15.0/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/15.0/]...Cached
Reading Package Lists...Done
Retrieving package data [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Retrieving patch list [http://slackware.uk/salix/x86_64/extra-15.0/]...Done
Retrieving checksum list [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Retrieving checksum signature [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Verifying checksum signature [http://slackware.uk/salix/x86_64/extra-15.0/]...No key for verification
Retrieving ChangeLog.txt [http://slackware.uk/salix/x86_64/extra-15.0/]...Cached
Reading Package Lists...Done
Of course, since getmod would ask for the root password every time, it would make more sense to create a root terminal or a new tab in your terminal emulator and change that one tab into a root terminal by
Code: Select all
guest@porteus:~$ su -
Password:
root@porteus:~#
and then use that one terminal / that one root tab of your terminal emulator for all your getmod's needs… without needing the root password again, since you now have a permanent root terminal - until you choose to close it.
su - is the shorthand for su -l or su --login as you can see via su --help:
Code: Select all
guest@porteus:~$ su --help|grep "login shell"
-, -l, --login make the shell a login shell
guest@porteus:~$
All the above are my ideas and suggestions. Feel free to disagree, or to agree on them.