From 27065bcae1339649a23d2decd41b8503dcd3c490 Mon Sep 17 00:00:00 2001
From: bdubbs <bdubbs@103bf434-28df-0310-ab84-f3a62b6b63b3>
Date: Wed, 8 Feb 2012 18:20:00 +0000
Subject: [PATCH] Update 'more_control' hint

git-svn-id: svn://svn.linuxfromscratch.org/hints/trunk@1124 103bf434-28df-0310-ab84-f3a62b6b63b3
---
 ...kg_man.txt => more_control_and_pkg_man_v1_4.txt | 474 +++++++++++++--------
 1 file changed, 300 insertions(+), 174 deletions(-)
 rename more_control_and_pkg_man.txt => more_control_and_pkg_man_v1_4.txt (84%)

diff --git a/more_control_and_pkg_man.txt b/more_control_and_pkg_man_v1_4.txt
similarity index 84%
rename from more_control_and_pkg_man.txt
rename to more_control_and_pkg_man_v1_4.txt
index 49c7356..43bfd86 100644
--- a/more_control_and_pkg_man.txt
+++ b/more_control_and_pkg_man_v1_4.txt
@@ -1,11 +1,12 @@
+ 
 AUTHOR: Matthias S. Benkmann <article at winterdrache dot de>
 
-DATE: 2005-11-13
+DATE: 2007-10-20
 
-LICENSE: Creative Commons Attribution-NoDerivs 2.0 
-         (http://creativecommons.org/licenses/by-nd/2.0/)
+LICENSE: Creative Commons Attribution-Share Alike 3.0
+         (http://creativecommons.org/licenses/by-sa/3.0/)
 
-SYNOPSIS: More Control and Package Management using Package Users (v1.2)
+SYNOPSIS: More Control and Package Management using Package Users (v1.4)
 
 DESCRIPTION:
 -You want to know which packages your files belong to ?                 
@@ -19,8 +20,8 @@ ATTACHMENTS:
 http://www.linuxfromscratch.org/hints/downloads/attachments/more_control_and_pkg_man/more_control_helpers.tar.bz2
 
 PREREQUISITES:
-For use with LFS book 6.0: Brain.
-For use with LFS book later than 6.0: Brain (awake, good working condition).
+For use with LFS book 6.2: Brain.
+For use with LFS book later than 6.2: Brain (awake, good working condition).
 
 HINT:
 
@@ -46,6 +47,7 @@ HINT:
   4.5 Write to Non-Install Directory
   4.6 Delete or Overwrite File
   4.7 /sbin/ldconfig
+  4.8 What Commands to Run as a Package User
 5. The more_control_helpers Archive
   5.1 Overview
   5.2 The Wrappers
@@ -233,6 +235,9 @@ TIP:
   BTW, at http://freshmeat.net/projects/bashcompletion/
   you can find a project that offers sophisticated completions for many
   other commands.
+  
+  Or switch to zsh (http://freshmeat.net/projects/zsh/). It's more powerful
+  and less buggy than bash.
 
 
  3.3 Groups
@@ -531,8 +536,24 @@ installation so that the dynamic libraries are properly registered on the
 system. Because a package user is not allowed to overwrite /etc/ld.so.cache
 ldconfig fails. This failure is commonly ignored in Makefiles, but you should
 take note of it anyway, because you need to run ldconfig as root after
-the installation.
- 
+the installation. Alternatively, the more_control_helpers contain a wrapper 
+program that calls /sbin/ldconfig and can be made setuid root.
+
+
+ 4.8 What Commands to Run as a Package User  
+ ------------------------------------------
+
+A common problem that new users of this hint have is to decide which commands
+to run as a package user and which commands to run as root. The general rule
+is that the only commands to run as a package user are those for building,
+installing, removing and modifying the files that belong to *that* package 
+user's package. Everything else should be run as root as usual. 
+Some things you CAN/SHOULD NOT DO as a package user include
+
+    - starting daemons
+    - running udevstart
+    - stripping /lib/*
+
  
 ############################################################################
  5. The more_control_helpers Archive
@@ -567,7 +588,7 @@ can help with the latter problem, but they still have to be custom fitted to
 every package that needs them. There is a better solution, though. While there
 exist countless ways to install files, only very few are commonly used by
 packages. The 5 commands mkdir, chgrp, chown, chmod and install are responsible 
-for many of the common problems that arise during an LFS installation. This
+for most of the problems that arise during an LFS installation. This
 prompted me to write wrapper scripts for these 5 commands that recognize
 certain problematic patterns and deal with them automatically.
 
@@ -673,6 +694,11 @@ to switch to the newly created account. If the default .bashrc and
 the examples in the more_control_helpers archive, you will be put right into
 your package user's home directory so that you can start installing right away.
 
+TIP:
+  The install_package script can be called with a single argument that will
+  be used as user name, group name and description. So instead of the above
+  command a simple `install_package foo' would have sufficed.
+
 The add_package_user script is responsible for the actual work of creating
 a new package user account. Given a name, a group name and a description, it
 will create a new user account with the provided primary group and the install
@@ -935,7 +961,28 @@ install_package/add_package_user to populate the home directories of newly
 created package users.
  
  
- 5.10 Temporary Files 
+ 5.10 ldconfig.c
+ --------------------
+
+A lot of packages contain libraries. Having to manually call /sbin/ldconfig
+as root after installing these packages can become annoying. It would be
+much easier if one could grant package users permission to use /sbin/ldconfig.
+Making ldconfig setuid root would be a simple and effective solution, but
+there are some pitfalls. First of all it is imperative that ordinary users
+be prohibited from executing ldconfig with elevated privileges. Otherwise
+an ordinary user can overwrite and possibly read arbitrary files on the 
+system. This can be prevented by making ldconfig owned by group install and
+removing the o+x bit from the file mode. While this setup is no less secure
+than running `make install' as root, one reason why we're using package users
+is because we don't feel safe doing that. To protect against the (admittedly
+very theoretical) danger of a malicious package user, the more_control_helpers
+provide ldconfig.c. The only thing this program does is to call 
+`/sbin/ldconfig -v' with an empty environment. Because it doesn't evaluate
+any user input and doesn't pass any user-provided data to ldconfig, it can
+safely be made setuid root. 
+
+
+ 5.11 Temporary Files 
  --------------------
 
 3 files in the more_control_helpers archive are only used during the 
@@ -958,34 +1005,37 @@ try anything funky with them.
  6. Pre-Chroot Phase (Chapter 5)
 #############################################################################
 
-Build Chapter 5 exactly as explained by the LFS book. There is only one
-little change you have to make. After running `make install' for the coreutils
-package, issue the following command (still from within the coreutils
-build directory):
+Build Chapter 5 explained by the LFS book with the following changes:
+
+coreutils:
+  After running `make install' for the coreutils
+  package, issue the following command (still from within the coreutils
+  build directory):
 
     cp src/su /tools/bin
     
-This installs the su binary. Coreutils doesn't install su when working as
-non-root (which we do in Chapter 5), because su needs to be setuid root for
-normal operation and a non-root user cannot install setuid root binaries. 
-But for our purposes (i.e. su'ing from root to a package user) a non-setuid 
-su is enough, so we just copy coreutils' su to /tools/bin without making it
-setuid root.
-    
-When you have reached the end of Chapter 5, before you begin with Chapter 6 
-you will need to install the helper scripts in the /tools directory so that
-they are available once you've entered the chroot environment. Use the
-following commands to install the more_control_helpers in /tools:
+  This installs the su binary. Coreutils doesn't install su when working as
+  non-root (which we do in Chapter 5), because su needs to be setuid root for
+  normal operation and a non-root user cannot install setuid root binaries. 
+  But for our purposes (i.e. su'ing from root to a package user) a non-setuid 
+  su is enough, so we just copy coreutils' su to /tools/bin without making it
+  setuid root.
+  
+more_control_helpers:
+  When you have reached the end of Chapter 5, before you begin with Chapter 6 
+  you will need to install the helper scripts in the /tools directory so that
+  they are available once you've entered the chroot environment. Use the
+  following commands to install the more_control_helpers in /tools:
 
     cd /tools &&
     tar xjf /path/to/more_control_helpers.tar.bz2 &&
     cd  more_control_helpers &&
     cp ./sbin/* /tools/bin
     
-Note that the target directory is "/tools/bin" in the cp command and 
-*not* "/tools/sbin", although the latter location would be more appropriate.
-The reason for this is simply that the LFS instructions do not add 
-"/tools/sbin" to the PATH (and neither do the instructions in this hint).
+  Note that the target directory is "/tools/bin" in the cp command and 
+  *not* "/tools/sbin", although the latter location would be more appropriate.
+  The reason for this is simply that the LFS instructions do not add 
+  "/tools/sbin" to the PATH (and neither do the instructions in this hint).
 
 
 #############################################################################
@@ -1062,10 +1112,14 @@ If you don't want to use the user=group scheme, change the last argument to
 the desired group name. The description is arbitrary but needs to meet the
 requirements for the description field of an /etc/passwd entry.
 
+TIP:
+  Remember that you can call install_package with just one argument, if you
+  want user name, group name and description to be the same.
+
 The directory /usr/src/linux-libc-headers will be set up as the home directory
 for the package user, automatically populated with the contents of 
 /etc/pkgusr/skel-package. The install_package command also issues the command
-`su linux-libc-headers' to assume the identity of the newly created package
+`su - linux-libc-headers' to assume the identity of the newly created package
 user. If you're using the bashrc and bash_profile scripts from the
 more_control_helpers archive, you will be put straight into the directory 
 /usr/src/linux-libc-headers and your prompt will look like this
@@ -1115,9 +1169,9 @@ when building your LFS system. You should copy the information from this
 section to the INSTALL NOTES of the relevant .project files for the packages 
 concerned, together with any of your own notes.
 
-NOTE: If you're building by an LFS book later than 6.0 it is recommended that
+NOTE: If you're building by an LFS book later than 6.2 it is recommended that
       you read this complete chapter before you start building any packages.
-      If your LFS version is 6.0 then it's fine to read this section package
+      If your LFS version is 6.2 then it's fine to read this section package
       by package as you progress with your build.
 
 
@@ -1132,11 +1186,11 @@ linux-libc-headers:
     and you don't want to chown the headers to root:root, because that would 
     defeat the whole point of installing the headers with a package user.
     
-    There's another packaging error in the linux-libc-headers archive.
-    The files are stored with incorrect permissions. They are supposed to
-    be world-readable, but they are not. The book's instructions already
-    tell you how to correct this but I point it out, because this error will 
-    resurface a little later.
+    There used to be another packaging error in the linux-libc-headers. 
+    Version 2.6.12.0 (current as of this writing) doesn't have it anymore,
+    but older versions used to contain files with permissions set incorrectly. 
+    All headers are supposed to be world-readable, but they weren't. More about
+    this later in the glibc notes.
 
 
 man-pages:
@@ -1145,7 +1199,9 @@ man-pages:
     right at the beginning of the wrapper script `install'.
 
     Recent versions of man-pages contain POSIX manpages that the package
-    tries to install in /usr/share/man/man{0,1,3}p. As /usr/share/man is
+    tries to install in /usr/share/man/man{0,1,3}p. There's also a manpage
+    that man-pages wants to install to /usr/share/man/man9.
+    As /usr/share/man is
     not an install directory and the LFS book does not have instructions to
     create these directories at the time of this writing, the installation 
     will fail and the respective man-pages will not be installed.
@@ -1158,15 +1214,21 @@ man-pages:
       2. Ignore the problem and live without the POSIX manpages. Unless
          you are a developer (including script writer) who is interested
          in writing portable programs/scripts this is a good solution.
-      3. Create the directories /usr/share/man/man{0,1,3}p as root
+      3. Create the directories /usr/share/man/man{0,1,3}p and man9 as root
          prior to installing man-pages. You'll have to either chown them
          to the man-pages package user or make them install directories.
          This is my preferred solution.
 
 
 glibc:
-    The packaging error of libc-linux-headers described earlier also affects
-    the glibc build. Because of the error, the headers in /tools/include
+    It is kind of unfortunate that the packaging error of libc-linux-headers 
+    concerning the permissions doesn't exist in the current version. It 
+    provided for a great learning experience. I've kept the following section
+    in the hint for this reason even though it doesn't apply anymore. Please
+    take the time to read it.
+    
+--------------------- old stuff start ----------------------------------------
+    Because of the error, the headers in /tools/include
     are not world-readable. Unfortunately the LFS book (as of this writing)
     does not correct this in Chapter 5 like it does in Chapter 6. For a
     standard LFS build this is no problem, because glibc is built as root and
@@ -1236,6 +1298,7 @@ glibc:
     world-readable with commands similar to those the LFS book presents 
     in Chapter 6 for the installation of linux-libc-headers.
     Once this change has been made, glibc's configure succeeds.
+--------------------- old stuff end -----------------------------------------    
 
 TIP:
     Even when configure completes successfully, you should still check the
@@ -1253,7 +1316,8 @@ TIP:
     With the wrappers the glibc build and install should work smoothly. 
     The wrapper script for install makes sure that the /usr/share/locale/* 
     directories become install directories so that other programs can install 
-    their localized messages. One thing that the wrappers do not take care of, 
+    their localized messages. 
+    One thing that the wrappers do not take care of, 
     however, is the file /usr/share/info/dir. Because in the current LFS build
     order glibc is the first package that installs info files, dir is owned by 
     and only writable by glibc. In order to allow other packages to install 
@@ -1290,32 +1354,89 @@ TIP:
     root once you make the first manual edit, ensures that a later 
     reinstallation of a package won't silently do away with your manual tweaks.
 
+ldconfig:
+    Now that glibc has installed /sbin/ldconfig you can activate the ldconfig
+    wrapper if you want to. Perform the following steps as root 
+    AFTER re-adjusting the toolchain, 
+    just before starting with binutils:
+    
+       cd /usr/lib/pkgusr
+       gcc -O2 -W -Wall -o ldconfig ldconfig.c
+       chown root:install ldconfig
+       chmod u=rwxs,g=rxs,o= ldconfig
+  
+    These instructions make the ldconfig wrapper setuid root and setgid install
+    and prevent non-root users not in the install group from executing it. 
+    The setuid root is required so that it can replace /etc/ld.so.cache. 
+    The setgid install is not strictly required, but without it 
+    /etc/ld.so.cache will end up with the group of the last package user that 
+    touched it. If you use the user name=group name scheme this will cause the 
+    more_control_helpers scripts to believe that /etc/ld.so.cache belongs to 
+    the package in question which can be confusing.
 
 binutils:
+    Have you make /usr/share/info/dir group-writable as explained above in
+    the glibc notes? If you've missed that part, go back and do it now.
     The installation of binutils should complete without problems. 
     It does however cause minor conflicts with autoconf (see later).
     
+NOTE:
+    At the time of this writing the version of bash used in the LFS book has
+    a bug that causes the list_package script to spit out errors and to list
+    all manpages of binutils (and other packages) as Broken. This bug is 
+    already fixed by the bash patch used by the book but the patch is not
+    applied in chapter 5. Since the manpage summary functionality of 
+    list_package requires man which is not installed until after bash is
+    rebuilt, this doesn't really matter, because while patching the
+    chapter 5 bash would get rid of the error messages, it wouldn't result
+    in usable manpage summaries.
+    
     
 gcc:
-    Because the /usr/lib/libgcc_s.so.1 symlink created at the beginning of
+    Because the /usr/lib/libgcc_s.so* symlinks created at the beginning of
     Chapter 6 is owned by root, gcc's installation cannot remove it. 
     So you will have to remove it as root before `make install'.
+    Alternatively use
+    
+       chown -h gcc: /usr/lib/libgcc*
+       
+    to change ownership of the files in question after creating the gcc
+    package user. Note the -h option which has to be used to change 
+    ownership of the symlinks themselves rather than their target files.
+
+db:
+    It should be obvious that you don't want to change the ownership of the
+    installed files.
     
     
 coreutils:
     Because the /bin/cat, /bin/pwd and /bin/stty symlinks are owned by root,
     coreutils' installation cannot remove them. So you will have to remove 
-    them manually before `make install'.
+    them manually before `make install'. Alternatively use the command
+    
+       chown -h coreutils: /bin/{cat,pwd,stty}
+       
+    after creating the coreutils package user. Note the -h switch that makes
+    chown change the ownership of the symlinks themselves rather than their 
+    target files.
+    
+    The chapter 6 instructions move the coreutils binaries to /bin, including
+    the mv binary itself. You need to make sure that hashing is turned off
+    for this to work. The LFS book does this by putting `set +h' into the
+    LFS user's .bashrc. If you're following this hint, you're likely using
+    build scripts, so you need to put this command into the build script
+    before the mv commands.
 
 NOTE:
     The man-pages package has already installed manpages for the binaries
     from coreutils. The install wrapper will prevent coreutils from overwriting
     those. This is done because the manpages from the man-pages package are 
-    of superior quality. It also prevents errors during `make install' that
+    of superior quality (although not necessarily uptodate). 
+    It also prevents errors during `make install' that
     would otherwise occur because the coreutils package user cannot overwrite 
     manpages owned by another user.
     If you don't like the above behaviour and would rather have the original 
-    package manpages (despite them being inferior), you can set the variable 
+    package manpages (because they are uptodate), you can set the variable 
     manpagesowner at the beginning of the install wrapper to a string that
     doesn't correspond to a package user name (it must not be empty, though!).
     If you do this, you will have to resolve manpage conflicts in another way. 
@@ -1334,34 +1455,20 @@ ncurses:
     because the permissions would be reset on the next call to /sbin/ldconfig.
     This error will usually not abort the installation and you can just
     run /sbin/ldconfig manually as root afterwards.
+    Alternatively you can use the ldconfig wrapper as described earlier.
 
 
-gettext:
-    The gettext installation creates the directory /usr/share/aclocal, which
-    contains macros for autoconf. Other packages want to install 
+aclocal directory:
+    At the time of this writing the directory /usr/share/aclocal is
+    created during the bison installation. This directory contains
+    macros for autoconf. Other packages want to install 
     files into this directory, so you should make it writable by the install 
-    group and sticky. You don't need to do this now. You can wait till you 
-    install a package that wants to write to aclocal.
-
-
-inetutils:
-    This package contains some programs that it wants to be setuid root:
-    rsh, rcp, rlogin and ping
-    The install wrapper prevents these programs from being installed
-    setuid root. You must decide which of these programs you want to be 
-    setuid root and manually make them so. Be conservative. Don't make a
-    binary setuid root unless you *know* that ordinary users can't live
-    without it. Every setuid root binary is a potential security hole.
-
-
-iproute2:
-    This package tries to change the permissions of /usr/sbin. The install
-    wrapper takes care of this.
+    group and sticky. 
 
 
 perl:
     Before you do `make install', you will have to 
-    `chown perl /usr/bin/perl' so that the perl package user is allowed to
+    `chown -h perl: /usr/bin/perl' so that the perl package user is allowed to
     remove the /usr/bin/perl symlink.
     
     If you will install add-on packages for perl as their own package users
@@ -1379,10 +1486,32 @@ autoconf:
 
 
 bash:
-    Before you can `make install' you need to `chown bash /bin/bash' so
-    that the bash installation can replace the /bin/bash symlink.
+  configure:
+    The bash configure script tests for the presence of the special devices
+    /dev/std* and /dev/fd/*. Unfortunately at the time of this writing the
+    test for /dev/fd/* is buggy (the test for /dev/stdin used to be broke, too
+    in bash-2.x, but has been fixed since). It ends up testing read access to 
+    standard input, 
+    which is the (pseudo)terminal you're building your system in. 
+    Unfortunately su doesn't change ownership of the terminal device, so when
+    you're su'd to a package user account, the terminal still belongs to the
+    login user. As the package user doesn't have read access to the device,
+    the tests fail.
+    
+    There is a simple way to get around this. Simply run ./configure like this
+    
+      ./configure ....  </dev/null
+    
+    The trick here is to redirect standard input (note, that this is a '<' not
+    a '>' !) to refer to /dev/null. Unlike the terminal device, /dev/null is
+    world-readable and world-writable, so the tests succeed as they should.
+    If you don't like this trick, you can also chown the terminal device in
+    question (see `ls -la /dev/fd/0') to the package user before building
+    bash.
+    
+  make check:
     When running the test suite as a package user, the test "run-test" will 
-    fail with the following output:
+    fail with the output like this:
 
       33d32
       < *** chmod g+s /tmp/test.setgid
@@ -1407,82 +1536,66 @@ bash:
     
     The first 2 failures are caused by the chmod wrapper which prevents the
     test from setting the setuid and setgid bits and outputs the *** warning.
-    The failures are harmless and will not occur if you remove the wrappers
+    The failures are harmless. You can get rid of them by removing the wrappers
     directory from the PATH before running the tests.
     
     The last 2 failures are not specific to package users but will occur 
-    whenever the user running the test is not the user who owns the terminal 
-    as is usually the case when you use the `su' command.
-    Simply ignore these failures. They are harmless. If you insist on getting
-    the tests to succeed, you will have to use chown as root to
-    assign ownership of the tty in which you will run the tests to the 
-    user running the tests. To find out the proper terminal, use the command
-    `ls -la /proc/self/fd/1' in the terminal where you will run the tests. 
-    It will output something like
-      lrwx------  1 bash bash 64 Sep 12 21:29 /proc/self/fd/1 -> /dev/pts/2
-    In this example the tty to be chowned would be /dev/pts/2.
-    
-    
-libtool:
-    The libtool installation wants to add files to /usr/share/aclocal, so
-    if you have not made it an install directory, yet, you will have to do it 
-    now (i.e. make the directory group install, group-writable, sticky).
-      
+    whenever you run the tests su'd to another user. The reasons are the same
+    as for the configure problem described earlier. The same solutions apply.
+    Either use chown (if you chowned before configure you're already 
+    done, of course) or run make check like this
+       
+      make check </dev/null
     
-grub:
-    The commands to create and populate /boot/grub have to be executed as
-    root.
+  make install:
+    Before you can `make install' you need to `chown -h bash: /bin/bash' as
+    root so that the bash installation can replace the /bin/bash symlink that
+    you manually created at the beginning of chapter 6.
 
 
-procps:
-    The procps installation wants to execute the command `ldconfig'. This will
-    fail for 2 reasons:
-    
-      1) A package user does not have /sbin in its PATH
-      2) Package users are not allowed to overwrite /etc/ld.so.cache
-    
-    To overcome this problem, install with 
-      
-      make ldconfig='' install
-      
-    and issue the command `/sbin/ldconfig' manually as root after installing.
+pkgconfig directory:
+    At the time of this writing the directory /usr/lib/pkgconfig is
+    created during the e2fsprogs installation. This directory contains
+    build information used by the pkg-config tool. Other packages want to 
+    install files into this directory, so you should make it writable by the
+    install group and sticky. 
 
 
-shadow:
-    shadow contains its own version of the `groups' command and accompanying
-    manpage. The installation of these conflicts with the coreutils versions.
-    As of this writing the LFS book deals with this problem in
-    the following way:
-    
-      1) coreutils' groups is installed in /usr/bin and shadow's
-         groups is installed in /bin, so it's enough to delete shadow's groups
-         after installation.
-      2) The manpage issue is simply ignored, meaning that the system will
-         end up having the coreutils version of groups but the shadow version
-         of the groups manpage.
-         
-    Number 1 will not cause trouble with package users, unless you
-    are doing things like symlinking /usr/bin and /bin to be the same. And in
-    that case the "trouble" caused, namely that shadow won't be able to
-    overwrite `groups', is actually a good thing, because it prevents you
-    from unknowingly ending up with a different `groups' command than a 
-    standard-LFS user. Issues like this are exactly what the "more control"
-    part of this hint's title is about. The package user system does not
-    allow things like this to happen behind your back.
+grub:
+    The commands to create and populate /boot/grub have to be executed as
+    root.
     
-    Number 2 is probably not intentional. It's just one of those things that
-    people who don't use the package user system never become aware of and so
-    it has managed to escape the attention of the LFS testers. So once again 
-    the installation failure caused by the package user system, although 
-    annoying, is a desirable feature.
     
-    To deal with both groups-issues, simply prevent shadow from installing
-    groups and its manpage. Execute the following commands *after* the
-    configure step, because the Makefiles don't exist until then.
+grep:
+    Before you can `make install' you need to `chown -h grep: /bin/grep' as
+    root so that the grep installation can replace the /bin/grep symlink that
+    you manually created at the beginning of chapter 6.
     
-      sed -i 's/groups.1//' man/Makefile
-      sed -i '/^bin_PROGRAMS/s/groups//' src/Makefile
 
+inetutils:
+    This package contains some programs that it wants to be setuid root:
+    rsh, rcp, rlogin and ping
+    The install wrapper prevents these programs from being installed
+    setuid root. You must decide which of these programs you want to be 
+    setuid root and manually make them so. Be conservative. Don't make a
+    binary setuid root unless you *know* that ordinary users can't live
+    without it. Every setuid root binary is a potential security hole.
+
+
+iproute2:
+    This package tries to change the permissions of /usr/sbin and some man
+    directories. The install wrappers take care of this.
+
+
+man-db:
+    Even after installing man-db you won't get manpage summaries from
+    list_package, because the way list_package calls man it needs col
+    to work and col is from util-linux. You may however install util-linux
+    right away. The alphabetical sort is the only reason it is at the end
+    of Chapter 6.
+
+
+shadow:
     By default shadow wants to install non-English manpages. This fails
     because the /usr/share/man directory is not an install directory and
     therefore package users are not allowed to create new subdirectories in it.
@@ -1496,18 +1609,11 @@ shadow:
     respective names in /usr/share/man as root and make them install
     directories (i.e. group install, group-writable, sticky).
     
-    At the time of this writing the coreutils patch used in LFS prevents the 
-    installation of the su binary, but not of its manpage. This is probably
-    another buglet in LFS that is exposed by the package user system. 
-    Whatever the reason, you will have to remove the su.1 manpage manually 
-    as root before shadow can be installed:
-    
-      rm /usr/share/man/man1/su.1
-    
     There is yet another issue with shadow concerning manpages. The shadow
-    package contains a passwd.5 manpage. Installation of this manpage is
+    package contains a passwd.5 and a getspnam.3 manpage. 
+    Installation of these manpages is
     automatically suppressed by the install wrapper, because it would 
-    overwrite the passwd.5 manpage provided by the man-pages package. As usual
+    overwrite the manpages provided by the man-pages package. As usual
     the man-pages version is better, so you can simply ignore this issue.
 
     shadow wants to install the programs su, chage, chfn, chsh, expiry, 
@@ -1525,28 +1631,19 @@ sysklogd:
       make INSTALL=install install
 
 
-sysvinit:
-    sysvinit's installation wants to create /dev/initctl if it does not exist, 
-    but a package user does not have permission to do that, so create
-    /dev/initctl manually as root before installing:
-    
-        rm -f /dev/initctl
-        mkfifo /dev/initctl
-        chmod 600 /dev/initctl
-                                                  
-
 udev:
-    udev wants to recreate the /dev directory, although it already exists.
-    Since a package user cannot do that, the installation fails. To fix this,
-    kill the line in the Makefile that's responsible:
+    udev wants to install files into the directory /usr/lib/pkgconfig. If
+    you've followed the instructions given further above you've already made
+    this an install directory. If you haven't, do so now or the udev 
+    installation will fail.
     
-      sed -i '/\$(INSTALL) -d \$(DESTDIR)\$(udevdir)/d' Makefile
+    The LFS instructions for installing udev tell you to execute the command
+      
+      mknod -m0666 /lib/udev/devices/null c 1 3
+      
+    Because a package user is not allowed to create device nodes, execute this
+    command as root.
     
-    NOTE: udev's Makefile is read-only, but apparently sed doesn't care about
-    this. If you want to edit the Makefile in another way (or if you're using
-    a sed version that doesn't have this, IMHO buggy, behaviour), you will 
-    have to `chmod u+w Makefile' first.
-
 
 util-linux:
     util-linux wants to install write as setgid tty and u/mount as
@@ -1737,47 +1834,78 @@ gnome: Software that relates to GNOME and does not fit into
 ###########################################################################
 
 ACKNOWLEDGEMENTS:
+  * Matthias Benkmann for writing the original version of this hint
   * Tushar Teredesai for suggesting the user=group scheme.
   * Markus Laire for reporting the 2005-01-01 build bug
 
 CHANGELOG:
 
-2005-11-13
+2007-10-20 Matthias Benkmann
+           -relicensed under CC-BY-SA (previously CC-BY-ND).
+           -added name tags to changelog entries in preparation for having the
+            hint continued by different authors.
+           -added workaround to list_package for bug in man-db that causes
+            some manpages to show up as "Weird manpage" in the summary.
+           -chmod wrapper now prevents shadow from installing files setuid 
+            shadow.
+           -added a wrapper to solve ldconfig issue.
+           -install_package now works when called with just a single argument. 
+            That argument is used for user name, group name and description.
+           -bash_profile of more_control_helpers now has /sbin and /usr/sbin 
+            in the PATH to match the PATH used by root when building.
+           -install_package does su - <name> now (i.e. start a login shell).
+           -build script now handles unpacking of tarballs and allows calling 
+            the different stages individually.
+           -useradd uses the -s provided shell and no longer hardwires bash.
+           -chapter 6 bash notes now properly address the configure and 
+            make check issues.
+
+2007-03-21 Matthias Benkmann
+           -changed forall_direntries_from to avoid warning message from find
+            when -depth is used.
+           -added 4.8 What Commands to Run as a Package User  
+
+2005-12-22 Matthias Benkmann
+           -added advice on how to cope with the moving mv problem to
+            coreutils note.
+
+2005-11-13 Matthias Benkmann
            -fixed list_suspicious_files and list_package to work with
             recent more POSIX-conforming versions of GNU find
            -released version 1.2 
 
-2005-01-01
+2005-01-01 Matthias Benkmann
             -fixed bug in skel-package/build script that caused it to report
              all steps as successful, even if they failed 
             -released version 1.1
 
-2004-11-01
+2004-11-01 Matthias Benkmann
             -capitalized title
             -released version 1.0
             
-2004-10-14
+2004-10-14 Matthias Benkmann
             -started developing the more_control_helpers utilities
             
-2004-08-14
+2004-08-14 Matthias Benkmann
             -started major rewrite (update for new LFS version, new hint 
              format, textual improvements,...)
 
-2002-04-20
+2002-04-20 Matthias Benkmann
             -changed LFS VERSION header to be more conservative
             -added <br> tags to the synopsis for the sake of the hints 
              index
             -added group mmedia to the list of suggested groups 
             -submitted v0.8
 
-2002-03-16  
+2002-03-16 Matthias Benkmann  
             -added note, that on Linux make doesn't need to be setgid kmem
 
-2002-02-18
+2002-02-18 Matthias Benkmann
             -added section "Security issues with NFS"
             -submitted v0.7
 
-2002-01-30  -added Changelog
+2002-01-30 Matthias Benkmann
+            -added Changelog
             -moved "chown 0.10000 `cat /tmp/installdirs`" command up (before
              glibc package user is created)
             -add_package_user: create home directory with "mkdir -p"
@@ -1786,5 +1914,3 @@ CHANGELOG:
             -added note about possibility to have user name==group name
             -source bashrc_basic in bashrc_package
             -minor textual changes
-
-
-- 
2.11.4.GIT