On 2019/05/07 17:36, Charlene Wendling wrote: > Hi Marc, ports, > > > I'm using PORT_PRIVSEP everywhere, even in my permanent ports tree, as > it allows me to see quickly what port needs FIX_EXTRACT_PERMISSIONS, > something sadly often used in Perl ports, before testing in a clean > chroot. > > I used to switch doas.conf according to what i was doing, because i > couldn't perform (un)installation, but i've "forgotten" to address > this in a better way until today. > > (Un)installing requires root rights only for env(1), touch(1), > pkg_add(1) and pkg_delete(1) according to 'make -dj reinstall'. > Quite a lot of reduced surface attack compared to even a temporary > "permit nopass".
env(1) lets you run anything, you should consider "doas env" as root-equivalent.
