# How to assign ACL to user for emerge

## jesterspet

I am trying to assign ACL permissions to a user so that the user can run emerge, without having to give them sudo access.

I tried simply giving that user read and execute permissions:

```
getfacl /usr/bin/emerge

getfacl: Removing leading '/' from absolute path names

# file: usr/bin/emerge

# owner: root

# group: root

user::rwx

user:testuser:r-x

group::r-x

mask::r-x

other::r-x

```

This was unsuccessful:

```
$ emerge -uv world

emerge: superuser access is required

```

I tried adding that user to the portage group, but the results have not changed.

What am I missing?  Do I need to add testuser to other file ACL's?  If so, which ones?

----------

## gentoo_ram

Even if they have access to the emerge script, emerge is eventually going to need access to write to the entire filesystem.  And to do that, it needs root access.  What's the difference if your user types 'emerge -u world' or 'sudo emerge -u world'?  You can configure sudo so that they can only use it to issue the emerge command.

----------

## jesterspet

The difference is that method does not use access control lists at all, and uses sudo which was not desired.

I already know how to give a user access to emerge via sudo.

What I do not know, is how to give a user access to emerge via ACL's.

----------

## krinn

I don't think portage can work as user, some parts could be, and to use that you have to put your user in the portage group, but think of what portage is doing.

How can you run a program that will replace root files : toolchain... by files not own by root ?

It could be possible to have a portage running as a user upto the install phase, but the install part will always need root access.

So using ACL or anything, at end, you will run portage with root privilege, and any user grant to run in that context portage will be grant root privileges.

It's even worst the user doesn't even need to tweak portage: no decompile, patching... need or anything (first because portage is python) and second because portage will do what the user wish just by running an ebuild with the commands he wish in it.

I think ebuild api specify many calls must be made for security and portability reasons thru portage api, like making a symlink or creating a directory by api calls instead of running mkdir or ln, but this won't mean portage cannot run ln or mkdir.

I'm not sure a dev will answer it better there, but i think portage can run anything ask by an ebuild.

----------

## Hu

 *jesterspet wrote:*   

> The difference is that method does not use access control lists at all, and uses sudo which was not desired.
> 
> I already know how to give a user access to emerge via sudo.
> 
> What I do not know, is how to give a user access to emerge via ACL's.

 You have already given the user access to emerge.  If you had not, you would have received a permission error from your shell due to inability to read the emerge script.

Regarding your likely intended purpose of granting a user the ability to install packages: the package manager must be run with privilege.  At best, you could make a setuid wrapper or sudo authorized wrapper to invoke emerge with limited arguments so that the unprivileged user cannot uninstall core components.

Could you explain why you want to use ACLs instead of sudo?  What do you think ACLs will allow you to do that you cannot do with sudo?

----------

## jesterspet

 *Hu wrote:*   

> Could you explain why you want to use ACLs instead of sudo?  What do you think ACLs will allow you to do that you cannot do with sudo?

 

I would like to be able to archive/move/replicate permissions from one machine to another without having to ensure sudo is installed, nor having to add/create groups on new boxes, nor having multiple configuration files to edit.  

I'd like to be able to run

```
$ getfacl -R /usr > user\ directory.facl
```

to back up access controls for a system

and

```
$ setfacl --restore user\ directory.facl
```

to restore them.

----------

## py-ro

I think you misunderstood the use of ACLs on Linux. You can't gain root privileges with them (beside suid-bit).

They only grant more granular filesystem rights.

Py

----------

