Comments (7)
Sounds like a great reason to separate building from writing to SD card. shrug If this doesn't seem important to you, I'll just have to take note that you don't care and move along.
from gokrazy.
The best practice is to not use sudo at all, but rather grant the required capabilities to the gokr-packer binary, as https://gokrazy.org/quickstart.html does via sudo setcap CAP_SYS_ADMIN,CAP_DAC_OVERRIDE=ep $(go env GOPATH)/bin/gokr-packer
.
Why does that not work for you?
from gokrazy.
TLDR: That simply answers the question, sorry.
It's a long - now uninteresting story - from my first experiment with gokrazy
, setting an environment up for root, then reverting back to user and messed up secure_path
and env_keep
in the sudoers file... eventually libcap2-bin not working anymore. Probably based on some initial misunderstanding of a few errors, the role of setcap, and necessity of elevated rights. Works on a "clean" machine just fine now.
from gokrazy.
Permanently giving some random binary CAP_SYS_ADMIN
is a really bad idea. That allows it to e.g. extract secrets from from kernel memory and from disk. Transient privileges (for this run only) are much safer.
from gokrazy.
How exactly can one grant transient privileges?
from gokrazy.
You're already doing that with sudo, for the setcap run.
from gokrazy.
Using sudo for the gokr-packer command results in compilation happening as root, which is not intended.
If you dislike granting CAP_SYS_ADMIN, donβt specify a privileged device to the -overwrite= flag and do your own copying.
from gokrazy.
Related Issues (20)
- Proper way to poweroff HOT 3
- Broken version of gokrazy/firmware prevents boot on certain raspberry pi HOT 2
- Implement userspace modprobe
- suggestion: add a cmd/dmesg program HOT 2
- Document state of Raspberry Pi 400 HOT 6
- Panic in status.go HOT 1
- Feature request: GOARCH in config.json HOT 4
- Feature request: discover GOKRAZY_PARENT_DIR by walking $PWD up (til $HOME) HOT 1
- Document ExtraFilePaths relative path base HOT 1
- Docker instructions assume /perm/container-storage exists? HOT 2
- Unable to update executable because root filesystem is read-only HOT 14
- updating over tailscale (sometimes!) fails with HOT 7
- docs: explain what parts of gokrazy should be backed up HOT 2
- tailscale: Setup advertise-routes does not work in config.json HOT 3
- /gokrazy/ntp: permission denied HOT 11
- Running the prometheus server on gokrazy HOT 8
- Update gokrazy+tailscale docs for nftables support HOT 3
- Upgrading version of gokrazy HOT 6
- Using different port does not work HOT 4
- DNS bug that only get fixes whe manualy stop and start service from the UI HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gokrazy.