From owner-svn-doc-head@FreeBSD.ORG Wed Jan 30 08:38:32 2013 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 35C113D5; Wed, 30 Jan 2013 08:38:32 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id BB9DF7B6; Wed, 30 Jan 2013 08:38:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r0U8cV7g059703; Wed, 30 Jan 2013 08:38:31 GMT (envelope-from linimon@svn.freebsd.org) Received: (from linimon@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r0U8cVPM059702; Wed, 30 Jan 2013 08:38:31 GMT (envelope-from linimon@svn.freebsd.org) Message-Id: <201301300838.r0U8cVPM059702@svn.freebsd.org> From: Mark Linimon Date: Wed, 30 Jan 2013 08:38:31 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40813 - head/en_US.ISO8859-1/articles/portbuild X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jan 2013 08:38:32 -0000 Author: linimon Date: Wed Jan 30 08:38:31 2013 New Revision: 40813 URL: http://svnweb.freebsd.org/changeset/doc/40813 Log: Add notes on current rework and label it as WIP. Modified: head/en_US.ISO8859-1/articles/portbuild/article.xml Modified: head/en_US.ISO8859-1/articles/portbuild/article.xml ============================================================================== --- head/en_US.ISO8859-1/articles/portbuild/article.xml Wed Jan 30 08:19:37 2013 (r40812) +++ head/en_US.ISO8859-1/articles/portbuild/article.xml Wed Jan 30 08:38:31 2013 (r40813) @@ -2455,6 +2455,54 @@ zfs destroy -r a/snap/src-o Please talk to Mark Linimon before making any changes to this section. + + Notes on privilege separation + + As of January 2013, a rewrite is in progress to further separate + privileges. The following concepts are introduced: + + + + Server-side user portbuild assumes all + responsiblity for operations involving builds and communicating + with the clients. This user no longer has access to + sudo. + + + + Server-side user srcbuild is created + and given responsiblity for operations involving both VCS + operations and anything involving src builds for the clients. + This user does not have access to + sudo. + + + + The server-side + ports-arch + users go away. + + + + None of the above server-side users have + ssh keys. Individual + portmgr will accomplish all those + tasks using ksu. (This is + still work-in-progress.) + + + + The only client-side user is also named + portbuild and still has access to + sudo for the purpose of managing + jails. + + + + This document has not yet been updated with the latest changes. + + + Basic installation