Re: building release without noperm?

Fri, 14 Apr 2017 04:25:16 -0700 

> On 04/14/17 09:21, Theo de Raadt wrote:
> >> AFAICS there is no way to build a release without upgrading the base 
> >> system first, i.e. you have to have root privileges.
> >> 
> >> To keep things simple, I wonder if it would be possible to use these 
> >> privileges to avoid the noperm partition?

No, it isn't.

> > noperm is now so well established, we have already forgotten the various 
> > tricks to during the transition, even moreso since there wasn't one 
> > transition it was done in steps.
> > 
> 
> ???
> 
> I would have guessed a simple
> 
>       if test "x$USER" != "xroot"; then
>               echo "error: noperm partition wanted"
>               exit 1
>       fi
> 
> would do.

There are such tests at the beginning of 'make release', so if you got
as far in 'make release' as you indicate below, your noperm setup is
fine:

$ sed -n 246,259p /usr/src/etc/Makefile
do-release:
        @if [[ `id -u` -ne 0 ]]; then \
                echo $@ must be called by root >&2; \
                false; \
        fi
        @destmp=`df -P ${DESTDIR} | awk 'END { print $$6 }'`; \
        if ! mount | grep -q " $${destmp} .*noperm"; then \
                echo ${DESTDIR} must be on a noperm filesystem >&2; \
                false; \
        fi; \
        if [[ `stat -f '%Su %Lp' $${destmp}` != '${BUILDUSER} 700' ]]; then \
                echo $${destmp} must have owner BUILDUSER and mode 700 >&2; \
                false; \
        fi

> bash-4.4# export DESTDIR=/dest; export RELEASEDIR=/export/releasedir
> bash-4.4# cd /usr/src/etc && make release
> sh /usr/src/sys/conf/newvers.sh
> touch: version: Permission denied
> /usr/src/sys/conf/newvers.sh[84]: cannot create version: Permission denied
> *** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC.MP (Makefile:897 
> 'vers.o')
> *** Error 1 in . (Makefile:20 'bsd.mp')
> *** Error 1 in . (Makefile:267 'release-sets')
> *** Error 1 in . (Makefile:260 'do-release')
> *** Error 1 in /usr/src/etc (Makefile:244 'release')

This indicates permission problems below /usr/obj (nothing to do with
noperm).

What is the output of

# ls -al /usr/obj /usr/obj/sys/arch/amd64/compile/{,GENERIC.MP/vers*}

> There are stable snapshots? Good thing, I will check.

There aren't. But you may want to check out syspatch(8)

http://man.openbsd.org/syspatch

Reply via email to