Move the privsep section up to the top of the document. No textaul change.
This commit is contained in:
		
							parent
							
								
									b91e74bc05
								
							
						
					
					
						commit
						aab0da1954
					
				
				
				Notes:
				
					svn2git
				
				2020-12-08 03:00:23 +00:00 
				
			
			svn path=/head/; revision=40974
					 1 changed files with 45 additions and 45 deletions
				
			
		|  | @ -158,6 +158,51 @@ | |||
| 	  found in CVS</ulink>.</para> | ||||
|       </note> | ||||
|     </sect2> | ||||
| 
 | ||||
|     <sect2 id="pointyhat-privsep"> | ||||
|       <title>Notes on privilege separation</title> | ||||
| 
 | ||||
|       <para>As of January 2013, a rewrite is in progress to further separate | ||||
| 	privileges.  The following concepts are introduced:</para> | ||||
| 
 | ||||
|       <itemizedlist> | ||||
| 	<listitem> | ||||
| 	  <para>Server-side user <username>portbuild</username> assumes all | ||||
| 	    responsiblity for operations involving builds and communicating | ||||
| 	    with the clients.  This user no longer has access to | ||||
| 	    <application>sudo</application>.</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>Server-side user <username>srcbuild</username> is created | ||||
| 	    and given responsiblity for operations involving both VCS | ||||
| 	    operations and anything involving src builds for the clients. | ||||
| 	    This user does not have access to | ||||
| 	    <application>sudo</application>.</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>The server-side | ||||
| 	    <literal>ports-</literal><replaceable>arch</replaceable> | ||||
| 	    users go away.</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>None of the above server-side users have | ||||
| 	    <application>ssh</application> keys.  Individual | ||||
| 	    <literal>portmgr</literal> will accomplish all those | ||||
| 	    tasks using <application>ksu</application>.  (This is | ||||
| 	    still work-in-progress.)</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>The only client-side user is also named | ||||
| 	    <username>portbuild</username> and still has access to | ||||
| 	    <application>sudo</application> for the purpose of managing | ||||
| 	    jails.</para> | ||||
| 	</listitem> | ||||
|       </itemizedlist> | ||||
|     </sect2> | ||||
|   </sect1> | ||||
| 
 | ||||
|   <sect1 id="management"> | ||||
|  | @ -2428,51 +2473,6 @@ zfs destroy -r a/snap/src-<replaceable>old-branch</replaceable></screen> | |||
|     <para>Please talk to Mark Linimon before making any changes | ||||
|       to this section.</para> | ||||
| 
 | ||||
|     <sect2 id="pointyhat-privsep"> | ||||
|       <title>Notes on privilege separation</title> | ||||
| 
 | ||||
|       <para>As of January 2013, a rewrite is in progress to further separate | ||||
| 	privileges.  The following concepts are introduced:</para> | ||||
| 
 | ||||
|       <itemizedlist> | ||||
| 	<listitem> | ||||
| 	  <para>Server-side user <username>portbuild</username> assumes all | ||||
| 	    responsiblity for operations involving builds and communicating | ||||
| 	    with the clients.  This user no longer has access to | ||||
| 	    <application>sudo</application>.</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>Server-side user <username>srcbuild</username> is created | ||||
| 	    and given responsiblity for operations involving both VCS | ||||
| 	    operations and anything involving src builds for the clients. | ||||
| 	    This user does not have access to | ||||
| 	    <application>sudo</application>.</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>The server-side | ||||
| 	    <literal>ports-</literal><replaceable>arch</replaceable> | ||||
| 	    users go away.</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>None of the above server-side users have | ||||
| 	    <application>ssh</application> keys.  Individual | ||||
| 	    <literal>portmgr</literal> will accomplish all those | ||||
| 	    tasks using <application>ksu</application>.  (This is | ||||
| 	    still work-in-progress.)</para> | ||||
| 	</listitem> | ||||
| 
 | ||||
| 	<listitem> | ||||
| 	  <para>The only client-side user is also named | ||||
| 	    <username>portbuild</username> and still has access to | ||||
| 	    <application>sudo</application> for the purpose of managing | ||||
| 	    jails.</para> | ||||
| 	</listitem> | ||||
|       </itemizedlist> | ||||
|     </sect2> | ||||
| 
 | ||||
|     <sect2 id="pointyhat-basics"> | ||||
|       <title>Basic installation</title> | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue