Date: Wed, 30 Jan 2013 08:38:31 +0000 (UTC) From: Mark Linimon <linimon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40813 - head/en_US.ISO8859-1/articles/portbuild Message-ID: <201301300838.r0U8cVPM059702@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: linimon Date: Wed Jan 30 08:38:31 2013 New Revision: 40813 URL: http://svnweb.freebsd.org/changeset/doc/40813 Log: Add notes on current rework and label it as WIP. Modified: head/en_US.ISO8859-1/articles/portbuild/article.xml Modified: head/en_US.ISO8859-1/articles/portbuild/article.xml ============================================================================== --- head/en_US.ISO8859-1/articles/portbuild/article.xml Wed Jan 30 08:19:37 2013 (r40812) +++ head/en_US.ISO8859-1/articles/portbuild/article.xml Wed Jan 30 08:38:31 2013 (r40813) @@ -2455,6 +2455,54 @@ zfs destroy -r a/snap/src-<replaceable>o <para>Please talk to Mark Linimon before making any changes to this section.</para> + <sect2 id="pointyhat-privsep"> + <title>Notes on privilege separation</title> + + <para>As of January 2013, a rewrite is in progress to further separate + privileges. The following concepts are introduced:</para> + + <itemizedlist> + <listitem> + <para>Server-side user <username>portbuild</username> assumes all + responsiblity for operations involving builds and communicating + with the clients. This user no longer has access to + <application>sudo</application>.</para> + </listitem> + + <listitem> + <para>Server-side user <username>srcbuild</username> is created + and given responsiblity for operations involving both VCS + operations and anything involving src builds for the clients. + This user does not have access to + <application>sudo</application>.</para> + </listitem> + + <listitem> + <para>The server-side + <literal>ports-</literal><replaceable>arch</replaceable> + users go away.</para> + </listitem> + + <listitem> + <para>None of the above server-side users have + <application>ssh</application> keys. Individual + <literal>portmgr</literal> will accomplish all those + tasks using <application>ksu</application>. (This is + still work-in-progress.)</para> + </listitem> + + <listitem> + <para>The only client-side user is also named + <username>portbuild</username> and still has access to + <application>sudo</application> for the purpose of managing + jails.</para> + </listitem> + </itemizedlist> + + <para>This document has not yet been updated with the latest changes. + </para> + </sect2> + <sect2 id="pointyhat-basics"> <title>Basic installation</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301300838.r0U8cVPM059702>