On Tue, May 07, 2019 at 05:36:07PM +0200, Charlene Wendling wrote: > Hi Marc, ports, > > > I'm using PORT_PRIVSEP everywhere, even in my permanent ports tree, as > it allows me to see quickly what port needs FIX_EXTRACT_PERMISSIONS, > something sadly often used in Perl ports, before testing in a clean > chroot. > > I used to switch doas.conf according to what i was doing, because i > couldn't perform (un)installation, but i've "forgotten" to address > this in a better way until today. > > (Un)installing requires root rights only for env(1), touch(1), > pkg_add(1) and pkg_delete(1) according to 'make -dj reinstall'. > Quite a lot of reduced surface attack compared to even a temporary > "permit nopass".
Actually env(1) is the big attack surface here. This is the complicated problem that really needs addressing here, and it's not THAT easy to get a consensus. The problem being you need to keepenv in doas.conf, so that you can do the env -i before the doas. The other wacky solution would be to have pkg_add/delete to get some more stuff on the command line instead of the environment. touch doesn't matter. Won't fix before the other issue gets (eventually) addressed, as it's just giving you a false sense of security.
