Re: running cvs update as root (www patch?)

[Jean-Philippe Ouellet]

On Mon, Jun 09, 2014 at 03:07:17PM -0700, Jonathan Thornburg wrote:
> http://www.openbsd.org/anoncvs.html  shows the 'cvs update'
> command being run by root ("#" shell prompt)

One example (the latest one added) in the "Using CVS to ..." section
uses $, as do all the examples in the "Example usages ..." section.
Perhaps they should all be $? I'm not sure, but diff at the end if so.

> I wouldn't expect any non-root user to have write permission to
> /usr/src anyway.

Just add a non-root user to the wsrc group and
    $ sudo chmod -R g+w /usr/{src,obj,ports,whatever}
The relevant dirs should be group-writable by default anyway, but
if you've checked out as root on top of it without a proper umask,
then it would cause issues.

> why is doing the cvs-update as root a bad idea?

Why would you run it as root if you don't need to?  It takes
potentially-malicious input from the network and isn't super-tiny.

Just general principle of least priveledge, it's not like you
/can't/ run it as root (lest your source tree be corrupted or
something).


If this change were to be made, should there also be a note about
wsrc, umask 002, and the rationale for not running as root?
Tar examples are also #, perhaps those should be changed as well?

Index: build/mirrors/anoncvs.html.head
===================================================================
RCS file: /cvs/www/build/mirrors/anoncvs.html.head,v
retrieving revision 1.35
diff -u -p -r1.35 anoncvs.html.head
--- build/mirrors/anoncvs.html.head     9 May 2014 14:02:39 -0000       1.35
+++ build/mirrors/anoncvs.html.head     10 Jun 2014 00:45:26 -0000
@@ -221,14 +221,14 @@ If you don't have a CD handy, use the me
 
 <p> (If you are following <i>current</i>):
 <pre>
-       # <strong>cd /usr</strong>
-       # <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -P 
src</strong>
+       $ <strong>cd /usr</strong>
+       $ <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -P 
src</strong>
 </pre>
 
 <p> (If you are following the patch branch for 5.5):
 <pre>
-       # <strong>cd /usr</strong>
-       # <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 
-P src</strong>
+       $ <strong>cd /usr</strong>
+       $ <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 
-P src</strong>
 </pre>
 <!-- DO NOT EDIT ANONCVS.HTML MANUALLY - IT IS GENERATED FROM TEMPLATES! -->
 
@@ -258,14 +258,14 @@ Confirm this, and the fingerprint will t
 <li> Anytime afterwards, to `update' this tree:
 <p> (If you are following <i>current</i>):
 <pre>
-       # <strong>cd /usr/src</strong>
-       # <strong>cvs -q up -Pd</strong>
+       $ <strong>cd /usr/src</strong>
+       $ <strong>cvs -q up -Pd</strong>
 </pre>
 
 <p> (If you are following the patch branch for 5.5):
 <pre>
-       # <strong>cd /usr/src</strong>
-       # <strong>cvs -q up -rOPENBSD_5_5 -Pd</strong>
+       $ <strong>cd /usr/src</strong>
+       $ <strong>cvs -q up -rOPENBSD_5_5 -Pd</strong>
 </pre>
 
 Every time you ran this it would synchronize your /usr/src tree.
@@ -278,8 +278,8 @@ If you are updating a source tree that y
 from a different server, or from a CD, you <strong>must</strong>
 add the <em>-d [cvsroot]</em> option to cvs.
 <pre>
-       # <strong>cd /usr/src</strong>
-       # <strong>cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd</strong>
+       $ <strong>cd /usr/src</strong>
+       $ <strong>cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd</strong>
 </pre>
 </ul>
 
@@ -289,24 +289,24 @@ it is similar to src:
 <ul><li>
 <p> (If you are following <i>current</i>):
 <pre>
-       # <strong>cd /usr</strong>
-       # <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -P 
ports</strong>
+       $ <strong>cd /usr</strong>
+       $ <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -P 
ports</strong>
 </pre>
 <p> (If you are following the patch branch for 5.5):
 <pre>
-       # <strong>cd /usr</strong>
-       # <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 
-P ports</strong>
+       $ <strong>cd /usr</strong>
+       $ <strong>cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 
-P ports</strong>
 </pre>
 <li> Anytime afterwards, to `update' this tree:
 <p> (If you are following <i>current</i>):
 <pre>
-       # <strong>cd /usr/ports</strong>
-       # <strong>cvs -q up -Pd</strong>
+       $ <strong>cd /usr/ports</strong>
+       $ <strong>cvs -q up -Pd</strong>
 </pre>
 <p> (If you are following the patch branch for 5.5):
 <pre>
-       # <strong>cd /usr/ports</strong>
-       # <strong>cvs -q up -rOPENBSD_5_5 -Pd</strong>
+       $ <strong>cd /usr/ports</strong>
+       $ <strong>cvs -q up -rOPENBSD_5_5 -Pd</strong>
 </pre>
 </ul>
 
@@ -318,8 +318,8 @@ For those who like to see screenfulls of
 To make a diff of a locally patched module (here <i>cd.c</i>) to include with
 a bug report:
 <pre>
-       # <strong>cd /usr</strong>
-       # <strong>cvs diff -u src/sys/scsi/cd.c &gt; /tmp/patch</strong>
+       $ <strong>cd /usr</strong>
+       $ <strong>cvs diff -u src/sys/scsi/cd.c &gt; /tmp/patch</strong>
 </pre>
 
 <p>