In a few places, bsd.port.mk does doas /usr/bin/env -i ${_TERM_ENV} TRUSTED_PKG_PATH=... /usr/sbin/pkg_add
On the one hand, env allows virtually everything to execute; on the other hand, swapping things around means keepenv has to be used correctly. Looking closer at the actual usage pattern, the env variables concerned are: - TERM: necessary for correct progressmeter - TERMCAP: good for people with bad terminal configuration. Definitely not something to trust in doas.conf - ftp_proxy/http_proxy: useful in general, but those pkg_add invocations are actually local - TRUSTED_PKG_PATH: *TOTALLY* necessary. This prevents pkg_add from looking in other locations, and replaces a former -Dunsigned which did remove signature handling from everywhere and not just the correct directory. Inspired by Charlene's idea of fixing the path to touch, I think we want the patch that follows. Plus: people will have a full list of what's needed to run as root for ports work. Minus: if you don't keepenv TRUSTED_PKG_PATH, things will stop working. If you don't keepenv TERM, pkg_add will lose its progressmeter. (that said, pkg_delete already has the same issue and it doesn't look like people protest) okay, objections ? Index: bsd.port.mk =================================================================== RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v retrieving revision 1.1462 diff -u -p -r1.1462 bsd.port.mk --- bsd.port.mk 4 Apr 2019 02:28:06 -0000 1.1462 +++ bsd.port.mk 8 May 2019 18:57:48 -0000 @@ -211,7 +211,7 @@ PKG_DELETE ?= /usr/sbin/pkg_delete _PKG_ADD = ${PKG_ADD} ${_PROGRESS} -I _PKG_CREATE = ${PKG_CREATE} ${_PROGRESS} -_PKG_ADD_LOCAL = TRUSTED_PKG_PATH=${_PKG_REPO} ${_PKG_ADD} +_SUDO_PKG_ADD_LOCAL = TRUSTED_PKG_PATH=${_PKG_REPO} ${SUDO} ${_PKG_ADD} _PKG_DELETE = ${PKG_DELETE} ${_PROGRESS} .if defined(PKG_PATH) @@ -724,7 +724,7 @@ _ALL_COOKIES = ${_EXTRACT_COOKIE} ${_PAT ${_DEPBUILDLIB_COOKIES} ${_DEPRUNLIB_COOKIES} \ ${_DEPBUILDWANTLIB_COOKIE} ${_DEPRUNWANTLIB_COOKIE} ${_DEPLIBSPECS_COOKIES} -_MAKE_COOKIE = touch +_MAKE_COOKIE = /usr/bin/touch _PMAKE_COOKIE = ${_PBUILD} ${_MAKE_COOKIE} GMAKE ?= gmake @@ -2064,7 +2064,7 @@ ${_INSTALL_COOKIE${_S}}: @cd ${.CURDIR} && SUBPACKAGE=${_S} _DEPENDS_TARGET=install PKGPATH=${PKGPATH} \ exec ${MAKE} _internal-install-depends @${ECHO_MSG} "===> Installing ${FULLPKGNAME${_S}} from ${_PKG_REPO}" - @${SUDO} ${SETENV} ${_TERM_ENV} ${_PKG_ADD_LOCAL} ${_PKG_ADD_AUTO} ${PKGFILE${_S}}; + @${SETENV} ${_TERM_ENV} ${_SUDO_PKG_ADD_LOCAL} ${_PKG_ADD_AUTO} ${PKGFILE${_S}}; @-${SUDO} ${_MAKE_COOKIE} $@ @@ -2083,7 +2083,7 @@ ${_UPDATE_COOKIE${_S}}: *) cd ${.CURDIR} && SUBPACKAGE=${_S} _DEPENDS_TARGET=package PKGPATH=${PKGPATH} \ ${MAKE} _internal-install-depends; \ ${ECHO_MSG} "Upgrading from $$a"; \ - ${SUDO} ${SETENV} ${_TERM_ENV} ${_PKG_ADD_LOCAL} ${_PKG_ADD_AUTO} -r ${_PKG_ADD_FORCE} ${PKGFILE${_S}};; \ + ${SETENV} ${_TERM_ENV} ${_SUDO_PKG_ADD_LOCAL} ${_PKG_ADD_AUTO} -r ${_PKG_ADD_FORCE} ${PKGFILE${_S}};; \ esac @${_MAKE_COOKIE} $@ @@ -2097,7 +2097,7 @@ ${_FUPDATE_COOKIE${_S}}: @mkdir -p ${UPDATE_COOKIES_DIR} . endif @${ECHO_MSG} "===> Updating/installing for ${FULLPKGNAME${_S}}" - @${SUDO} ${SETENV} ${_TERM_ENV} ${_PKG_ADD_LOCAL} ${_PKG_ADD_AUTO} -r ${_PKG_ADD_FORCE} ${PKGFILE${_S}} + @${SETENV} ${_TERM_ENV} ${_SUDO_PKG_ADD_LOCAL} ${_PKG_ADD_AUTO} -r ${_PKG_ADD_FORCE} ${PKGFILE${_S}} @${_MAKE_COOKIE} $@ .endfor