The CONFIG_PROTECT variable contains a space-delimited list of files and/or directories that Portage will protect from automatic modification. Proposed changes to protected configuration locations will require manual merge(s) from the system administrator (see dispatch-conf or similar merge tools).
A current list of presently protected locations can be displayed with portageq:
portageq envvar CONFIG_PROTECT
/etc /usr/share/config /usr/share/gnupg/qualified.txt
Using portageq is a short hand alternative to running a regular expression search on verbose, informational output from the emerge command:
emerge --verbose --info | grep -E '^CONFIG_PROTECT='
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
Files or subdirectories defined within the CONFIG_PROTECT can be excluded from protection through the CONFIG_PROTECT_MASK variable. Masking is useful when a parent directory should be protected, but a certain child directory beneath it.
The variable has a sane default setting handled by the Portage installation and the users' Gentoo profile. It can be extended through the system environment (which is often used by applications that update the variable through their /etc/env.d file) and the users' /etc/portage/make.conf setting.
See also the Environment variables chapter in the Gentoo Handbook.
- CONFIG_PROTECT_MASK — contains a list of files or subdirectories which will be excluded from the overwrite protection offered by the CONFIG_PROTECT variable.
- savedconfig — a USE flag that preserves the saved configuration files upon package updates.
- /etc/portage/make.conf — the main configuration file used to customize the Portage environment on a global level., the location Portage keeps binary packages.