PATH, GOROOT, GOPATH about gokrazy HOT 7 CLOSED

Sounds like a great reason to separate building from writing to SD card. shrug If this doesn't seem important to you, I'll just have to take note that you don't care and move along.

from gokrazy.

The best practice is to not use sudo at all, but rather grant the required capabilities to the gokr-packer binary, as https://gokrazy.org/quickstart.html does via sudo setcap CAP_SYS_ADMIN,CAP_DAC_OVERRIDE=ep $(go env GOPATH)/bin/gokr-packer.

Why does that not work for you?

from gokrazy.

TLDR: That simply answers the question, sorry.

It's a long - now uninteresting story - from my first experiment with gokrazy, setting an environment up for root, then reverting back to user and messed up secure_path and env_keep in the sudoers file... eventually libcap2-bin not working anymore. Probably based on some initial misunderstanding of a few errors, the role of setcap, and necessity of elevated rights. Works on a "clean" machine just fine now.

from gokrazy.

Permanently giving some random binary CAP_SYS_ADMIN is a really bad idea. That allows it to e.g. extract secrets from from kernel memory and from disk. Transient privileges (for this run only) are much safer.

from gokrazy.

How exactly can one grant transient privileges?

from gokrazy.

You're already doing that with sudo, for the setcap run.

from gokrazy.

Using sudo for the gokr-packer command results in compilation happening as root, which is not intended.

If you dislike granting CAP_SYS_ADMIN, don’t specify a privileged device to the -overwrite= flag and do your own copying.

from gokrazy.