From d411903f6a6dbaf1d6039aaaf24fdfb9e1f186cf Mon Sep 17 00:00:00 2001
From: Zac Medico <zmedico@gentoo.org>
Date: Mon, 13 Mar 2006 19:59:23 +0000
Subject: [PATCH] Document portage_data.secpass and give secpass=0 to users
 that are not in the "portage" group.

svn path=/main/trunk/; revision=2866
---
 pym/portage_data.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pym/portage_data.py b/pym/portage_data.py
index 00148f907..3739e6c59 100644
--- a/pym/portage_data.py
+++ b/pym/portage_data.py
@@ -38,7 +38,17 @@ if not lchown:
 	
 os.environ["USERLAND"]=userland
 
-#Secpass will be set to 1 if the user is root or in the portage group.
+# Portage has 3 security levels that depend on the uid and gid of the main
+# process and are assigned according to the following table:
+#
+# Privileges  secpass  uid    gid
+# normal      0        any    any
+# group       1        any    portage_gid
+# super       2        0      any
+#
+# If the "wheel" group does not exist then wheelgid falls back to 0.
+# If the "portage" group does not exist then portage_uid falls back to wheelgid.
+
 secpass=0
 
 uid=os.getuid()
@@ -60,7 +70,7 @@ except KeyError:
 try:
 	portage_uid=pwd.getpwnam("portage")[2]
 	portage_gid=grp.getgrnam("portage")[2]
-	if (secpass==0):
+	if secpass < 1 and portage_gid in os.getgroups():
 		secpass=1
 except KeyError:
 	portage_uid=0
-- 
2.26.2