Date: Fri, 15 Feb 2013 14:53:39 +0000 (UTC) From: Mark Linimon <linimon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40974 - head/en_US.ISO8859-1/articles/portbuild Message-ID: <201302151453.r1FErd6W085511@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: linimon Date: Fri Feb 15 14:53:38 2013 New Revision: 40974 URL: http://svnweb.freebsd.org/changeset/doc/40974 Log: Move the privsep section up to the top of the document. No textaul change. Modified: head/en_US.ISO8859-1/articles/portbuild/article.xml Modified: head/en_US.ISO8859-1/articles/portbuild/article.xml ============================================================================== --- head/en_US.ISO8859-1/articles/portbuild/article.xml Fri Feb 15 14:49:56 2013 (r40973) +++ head/en_US.ISO8859-1/articles/portbuild/article.xml Fri Feb 15 14:53:38 2013 (r40974) @@ -158,6 +158,51 @@ found in CVS</ulink>.</para> </note> </sect2> + + <sect2 id="pointyhat-privsep"> + <title>Notes on privilege separation</title> + + <para>As of January 2013, a rewrite is in progress to further separate + privileges. The following concepts are introduced:</para> + + <itemizedlist> + <listitem> + <para>Server-side user <username>portbuild</username> assumes all + responsiblity for operations involving builds and communicating + with the clients. This user no longer has access to + <application>sudo</application>.</para> + </listitem> + + <listitem> + <para>Server-side user <username>srcbuild</username> is created + and given responsiblity for operations involving both VCS + operations and anything involving src builds for the clients. + This user does not have access to + <application>sudo</application>.</para> + </listitem> + + <listitem> + <para>The server-side + <literal>ports-</literal><replaceable>arch</replaceable> + users go away.</para> + </listitem> + + <listitem> + <para>None of the above server-side users have + <application>ssh</application> keys. Individual + <literal>portmgr</literal> will accomplish all those + tasks using <application>ksu</application>. (This is + still work-in-progress.)</para> + </listitem> + + <listitem> + <para>The only client-side user is also named + <username>portbuild</username> and still has access to + <application>sudo</application> for the purpose of managing + jails.</para> + </listitem> + </itemizedlist> + </sect2> </sect1> <sect1 id="management"> @@ -2428,51 +2473,6 @@ zfs destroy -r a/snap/src-<replaceable>o <para>Please talk to Mark Linimon before making any changes to this section.</para> - <sect2 id="pointyhat-privsep"> - <title>Notes on privilege separation</title> - - <para>As of January 2013, a rewrite is in progress to further separate - privileges. The following concepts are introduced:</para> - - <itemizedlist> - <listitem> - <para>Server-side user <username>portbuild</username> assumes all - responsiblity for operations involving builds and communicating - with the clients. This user no longer has access to - <application>sudo</application>.</para> - </listitem> - - <listitem> - <para>Server-side user <username>srcbuild</username> is created - and given responsiblity for operations involving both VCS - operations and anything involving src builds for the clients. - This user does not have access to - <application>sudo</application>.</para> - </listitem> - - <listitem> - <para>The server-side - <literal>ports-</literal><replaceable>arch</replaceable> - users go away.</para> - </listitem> - - <listitem> - <para>None of the above server-side users have - <application>ssh</application> keys. Individual - <literal>portmgr</literal> will accomplish all those - tasks using <application>ksu</application>. (This is - still work-in-progress.)</para> - </listitem> - - <listitem> - <para>The only client-side user is also named - <username>portbuild</username> and still has access to - <application>sudo</application> for the purpose of managing - jails.</para> - </listitem> - </itemizedlist> - </sect2> - <sect2 id="pointyhat-basics"> <title>Basic installation</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302151453.r1FErd6W085511>