Hi Marc, ports,
I'm using PORT_PRIVSEP everywhere, even in my permanent ports tree, as it allows me to see quickly what port needs FIX_EXTRACT_PERMISSIONS, something sadly often used in Perl ports, before testing in a clean chroot. I used to switch doas.conf according to what i was doing, because i couldn't perform (un)installation, but i've "forgotten" to address this in a better way until today. (Un)installing requires root rights only for env(1), touch(1), pkg_add(1) and pkg_delete(1) according to 'make -dj reinstall'. Quite a lot of reduced surface attack compared to even a temporary "permit nopass". The problem is that bsd.port.mk calls 'touch', unlike the other 3 commands that are using their absolute paths: > [13981] Running 42613 (/var/db/pkg/free-1.0/+CONTENTS) doas touch > /var/db/pkg/ free-1.0/+CONTENTS > > doas ([email protected]) password: Specifying "cmd touch" in doas.conf(5) don't fix this. And according to its manpage « Be advised that it is best to specify absolute paths. If a relative path is specified, only a restricted PATH will be searched. » As such, i've setup the whole thing like this (only relevant lines shown): /etc/mk.conf ================================================================= PORTS_PRIVSEP=Yes SUDO=doas ================================================================= /etc/doas.conf ================================================================= permit keepenv charlene [...] # PORTS_PRIVSEP permit nopass keepenv charlene as _pbuild permit nopass keepenv charlene as _pfetch # PORTS_PRIVSEP (un)install permit nopass keepenv charlene cmd /usr/bin/env permit nopass keepenv charlene cmd /usr/bin/touch permit nopass keepenv charlene cmd /usr/sbin/pkg_add permit nopass keepenv charlene cmd /usr/sbin/pkg_delete ================================================================ and did the change to bsd.port.mk i diffed below. It works. I know i have weird ways of doing things, but i think we should change it for consistency sake. Comments/feedback are welcome! Charlène. Index: bsd.port.mk =================================================================== RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v retrieving revision 1.1462 diff -u -p -r1.1462 bsd.port.mk --- bsd.port.mk 4 Apr 2019 02:28:06 -0000 1.1462 +++ bsd.port.mk 7 May 2019 14:55:55 -0000 @@ -724,7 +724,7 @@ _ALL_COOKIES = ${_EXTRACT_COOKIE} ${_PAT ${_DEPBUILDLIB_COOKIES} ${_DEPRUNLIB_COOKIES} \ ${_DEPBUILDWANTLIB_COOKIE} ${_DEPRUNWANTLIB_COOKIE} ${_DEPLIBSPECS_COOKIES} -_MAKE_COOKIE = touch +_MAKE_COOKIE = /usr/bin/touch _PMAKE_COOKIE = ${_PBUILD} ${_MAKE_COOKIE} GMAKE ?= gmake
