Hi, On Wed, 8 May 2019 21:00:57 +0200 Marc Espie <es...@nerim.net> wrote:
> In a few places, bsd.port.mk does > doas /usr/bin/env -i ${_TERM_ENV} > TRUSTED_PKG_PATH=... /usr/sbin/pkg_add > > On the one hand, env allows virtually everything to execute; > on the other hand, swapping things around means keepenv has to be used > correctly. > > Looking closer at the actual usage pattern, the env variables > concerned are: > > - TERM: necessary for correct progressmeter > - TERMCAP: good for people with bad terminal configuration. > Definitely not something to trust in doas.conf > - ftp_proxy/http_proxy: useful in general, but those pkg_add > invocations are actually local > - TRUSTED_PKG_PATH: *TOTALLY* necessary. This prevents pkg_add from > looking in other locations, and replaces a former -Dunsigned which > did remove signature handling from everywhere and not just the > correct directory. > > Inspired by Charlene's idea of fixing the path to touch, I think we > want the patch that follows. As you already know, it works fine for me, thanks! > Plus: people will have a full list of what's needed to run as root for > ports work. I've found more (i'm describing issues as i have met them) to make it "seamless": make update-plist ================= => doas /usr/bin/perl /usr/ports/infrastructure/bin/update-plist In mk/pkgpath.mk there is this: _PERLSCRIPT = /usr/bin/perl ${PORTSDIR}/infrastructure/bin After removing the perl invocation the problem is getting fishier: - /usr/ports/infrastructure/bin/update-plist is executable, fine - /usr/ports/infrastructure/bin/port-getpkgpath-helper is not executable, i chmoded +x it to see how deep it goes - then it calls 'doas /usr/ports/infrastructure/bin/update-plist' - and it croaks: DON'T BUILD PORTS AS ROOT!!!!! (or make sure you pass env variables PORTS_TREE_OWNER and FAKE_TREE_OWNER thru doas to root) - So i've changed my doas.conf accordingly, after reading update-plist, i noticed it requires PORTSDIR to be set as well, as seen in strip_dependency_directories() iiuc, or i have this: update-plist: Prefix required - /usr/ports/infrastructure/bin/port-resolve-lib-helper needs also to be chmoded +x make install/reinstall ====================== - /usr/ports/infrastructure/bin/register-plist requires to be chmoded +x as well make clean=packages =================== - my user account wants to rm: /usr/ports/packages/amd64/cache/portname.tgz and it belongs to _pfetch, so i needed this in bsd.port.mk: @@ -3120,10 +3120,10 @@ _internal-clean: .endif .if ${_clean:Mpackages} || ${_clean:Mpackage} && ${_clean:Msub} ${_PBUILD} rm -f ${_PACKAGE_COOKIES} - rm -f ${_UPDATE_COOKIES} ${_CACHE_PACKAGE_COOKIES} + ${_PFETCH} rm -f ${_UPDATE_COOKIES} ${_CACHE_PACKAGE_COOKIES} .elif ${_clean:Mpackage} ${_PBUILD} rm -f ${_PACKAGE_COOKIES${SUBPACKAGE}} - rm -f ${_UPDATE_COOKIE${SUBPACKAGE}} + ${_PFETCH} rm -f ${_UPDATE_COOKIE${SUBPACKAGE}} doas.conf ========= permit keepenv charlene [...] permit nopass keepenv charlene as _pbuild permit nopass keepenv charlene as _pfetch permit nopass setenv { TRUSTED_PKG_PATH TERM } charlene cmd /usr/bin/touch permit nopass setenv { TRUSTED_PKG_PATH TERM } charlene cmd /usr/sbin/pkg_delete permit nopass setenv { TRUSTED_PKG_PATH TERM } charlene cmd /usr/sbin/pkg_add permit nopass setenv { PORTSDIR PORTS_TREE_OWNER FAKE_TREE_OWNER TRUSTED_PKG_PATH TERM } \ charlene cmd /usr/ports/infrastructure/bin/update-plist > Minus: if you don't keepenv TRUSTED_PKG_PATH, things will stop > working. If you don't keepenv TERM, pkg_add will lose its > progressmeter. > > (that said, pkg_delete already has the same issue and it doesn't look > like people protest) > > okay, objections ? None of these two in my case, i just wanted to report the issues i met if one doesn't want to input root password during port works. I may have missed some stuff, or lacking foresight though. I had fun anyway! Charlène.