Move the privsep section up to the top of the document. No textaul change.
This commit is contained in:
parent
b91e74bc05
commit
aab0da1954
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=40974
1 changed files with 45 additions and 45 deletions
|
@ -158,6 +158,51 @@
|
|||
found in CVS</ulink>.</para>
|
||||
</note>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="pointyhat-privsep">
|
||||
<title>Notes on privilege separation</title>
|
||||
|
||||
<para>As of January 2013, a rewrite is in progress to further separate
|
||||
privileges. The following concepts are introduced:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Server-side user <username>portbuild</username> assumes all
|
||||
responsiblity for operations involving builds and communicating
|
||||
with the clients. This user no longer has access to
|
||||
<application>sudo</application>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Server-side user <username>srcbuild</username> is created
|
||||
and given responsiblity for operations involving both VCS
|
||||
operations and anything involving src builds for the clients.
|
||||
This user does not have access to
|
||||
<application>sudo</application>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The server-side
|
||||
<literal>ports-</literal><replaceable>arch</replaceable>
|
||||
users go away.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>None of the above server-side users have
|
||||
<application>ssh</application> keys. Individual
|
||||
<literal>portmgr</literal> will accomplish all those
|
||||
tasks using <application>ksu</application>. (This is
|
||||
still work-in-progress.)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The only client-side user is also named
|
||||
<username>portbuild</username> and still has access to
|
||||
<application>sudo</application> for the purpose of managing
|
||||
jails.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="management">
|
||||
|
@ -2428,51 +2473,6 @@ zfs destroy -r a/snap/src-<replaceable>old-branch</replaceable></screen>
|
|||
<para>Please talk to Mark Linimon before making any changes
|
||||
to this section.</para>
|
||||
|
||||
<sect2 id="pointyhat-privsep">
|
||||
<title>Notes on privilege separation</title>
|
||||
|
||||
<para>As of January 2013, a rewrite is in progress to further separate
|
||||
privileges. The following concepts are introduced:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Server-side user <username>portbuild</username> assumes all
|
||||
responsiblity for operations involving builds and communicating
|
||||
with the clients. This user no longer has access to
|
||||
<application>sudo</application>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Server-side user <username>srcbuild</username> is created
|
||||
and given responsiblity for operations involving both VCS
|
||||
operations and anything involving src builds for the clients.
|
||||
This user does not have access to
|
||||
<application>sudo</application>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The server-side
|
||||
<literal>ports-</literal><replaceable>arch</replaceable>
|
||||
users go away.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>None of the above server-side users have
|
||||
<application>ssh</application> keys. Individual
|
||||
<literal>portmgr</literal> will accomplish all those
|
||||
tasks using <application>ksu</application>. (This is
|
||||
still work-in-progress.)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The only client-side user is also named
|
||||
<username>portbuild</username> and still has access to
|
||||
<application>sudo</application> for the purpose of managing
|
||||
jails.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="pointyhat-basics">
|
||||
<title>Basic installation</title>
|
||||
|
||||
|
|
Loading…
Reference in a new issue