Add a warning about the portage group and the possiblility of exploits for bug #149062.

svn path=/main/trunk/; revision=4530

diff --git a/pym/portage_data.py b/pym/portage_data.py
index 99874fcf4da0ebd3f5753bbcaca6ee99a67401cf..3bbb1dd5826b94bbd7e783970e2fe77bc1d69a15 100644 (file)
--- a/pym/portage_data.py
+++ b/pym/portage_data.py
@@ -7,6 +7,8 @@
 import os,pwd,grp
 from portage_util import writemsg
 from output import green,red
+from output import create_color_func
+bad = create_color_func("BAD")
 
 ostype=os.uname()[0]
 
@@ -42,6 +44,13 @@ if not lchown:
 
 os.environ["USERLAND"]=userland
 
+def portage_group_warning():
+       warn_prefix = bad("*** WARNING ***  ")
+       writemsg(warn_prefix + "For security reasons, only system administrators should be\n")
+       writemsg(warn_prefix + "allowed in the portage group.  Untrusted users or processes\n")
+       writemsg(warn_prefix + "can potentially exploit the portage group for attacks such as\n")
+       writemsg(warn_prefix + "local privilege escalation.\n\n")
+
 # Portage has 3 security levels that depend on the uid and gid of the main
 # process and are assigned according to the following table:
 #
@@ -89,6 +98,7 @@ except KeyError:
        writemsg(green("         portage:x:250:250:portage:/var/tmp/portage:/bin/false\n"))
        writemsg(green("         portage::250:portage\n"))
        writemsg("\n")
+       portage_group_warning()
 
 if (uid!=0) and (portage_gid not in os.getgroups()):
        writemsg("\n")
@@ -96,3 +106,4 @@ if (uid!=0) and (portage_gid not in os.getgroups()):
        writemsg(red("*** due to permissions preventing the creation of the on-disk cache.\n"))
        writemsg(red("*** Please add this user to the portage group if you wish to use portage.\n"))
        writemsg("\n")
+       portage_group_warning()