Mandos on Fedora/RHEL

Teddy Hogeborn teddy at recompile.se
Mon Oct 28 09:46:39 CET 2013 

Nathanael Noblet <nathanael at gnat.ca> writes:

> > I've yet to look seriously into this.
>
> I'll take a look at it this week. I've never dug too deeply in there
> however I can't imagine its overly more complicated than any other
> initramfs type system.

What we need is the ability to override the "ask-for-password" part, and
it's not obvious that the makers of initramfs system should think of
this as a feature.  But we'll see what's in there, I suppose.

> > > One of the things I know we'll have problems with is your
> > > Makefile hardcodes the lib directory to /usr/lib,
> > 
> > Um, say what?  We do?  Where?  Do you mean the /usr/lib/mandos
> > directory?  Note that we do not actually install *libraries* as
> > such, we only want a application-specific directory for Mandos
> > client binaries to be installed into the initramfs image.  They
> > *are* binaries, so they cannot go into /usr/share.
>
> So I think in this case I think they belong in fedora in
> /usr/libexec.

Hmm.  /usr/libexec is not in any released version of the FHS.  And even
in the FHS 3.0 beta from the LSB people the libexec directory is
optional and an alternative to /usr/lib for binaries run by other
programs and not by users.  Also, I'm not sure this directory is
appropriate, because even though /usr/lib/mandos contains runnable
binaries, they are *never run* from that directory, not even by other
programs.  They are merely *stored* there, and then copied into the
initramfs when that is created or updated.

> > > and in a multi-lib situation x86_64 arches for fedora are /usr/lib64,
> > If I read the Debian standards correctly, they *prohibit*
> > /usr/lib64, and mandate /usr/lib instead, and *permits*
> > /usr/lib/x86_64-linux-gnu as an option.  How should a mere Makefile
> > detect where to install stuff?  What do others do?
> 
> So I think in most cases projects have a configure script that auto
> generates the Makefile. Distros can pass all their directory paths for
> everything to configure knows where to place it all. In a compiled
> distro this often results in compile time definitions passed through
> gcc or other compilation software.

Hmm, OK.  Fixed in trunk.

> So to include mandos in Fedora there are already some Makefile patches
> that will be required (for example the way the buildsystem works the
> installation of the /var/lib/mandos directory with install --user=x
> --group=y fails. The rpm system has a method for setting desired
> ownership and mode in the file manifest.

How do we detect, in the Makefile, that we shouldn't use --owner?
Should we just try "install" without --owner if it fails with it?

> LIBDIR=%{_libexec} make install and it installs to /usr/libexec

I think /usr/libexec/mandos is wrong, because the binaries aren't ever
run by anything.  /usr/lib64/mandos is more correct, which it should use
now.

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131028/e701ae58/attachment.sig>

More information about the Mandos-Dev mailing list