On 2020/03/31 11:31, [email protected] wrote: > The man page of bsd.port.mk, particular PORTS_PRIVSEP > provides this suggestion > > 'permit nopass setenv {....} user cmd pkg_add'
personally, I don't want my normal userid to be able to run things as root unless a password was entered recently, so I don't do that. Others have different opinions on that. > I don't know much about what pkg_add can do, but when As you would expect for something which can install packages, it can install files on the system, and it can run commands. Trivial example: $ printf '@name foo-1\n@exec head -1 /etc/master.passwd\n' > +CONTENTS $ tar czf foo-1.tgz +CONTENTS $ doas pkg_add -D unsigned ./foo-1.tgz |No change in quirks-3.288Use of uninitialized value in hash element at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 296. Use of uninitialized value in hash element at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 297. Use of uninitialized value $path in hash element at /usr/local/libdata/perl5/site_perl/OpenBSD/Quirks.pm line 1688. Use of uninitialized value in hash element at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 296. root:$2b$12$<REDACTED>:0:0:daemon:0:0:Charlie &:/root:/bin/ksh foo-1: ok Or it could be used to install a setuid root shell or something. > building packages with many dependencies, password prompt > greets for every dependency, persist option doesn't work > across the dependencies for the above command, > so it becomes a pain in the ass. > > I think persist doesn't work because of the setenv part, > since it is different for every package/sub-package Persist is working as designed - it has an intentional feature to prevent passing authorisation "upwards" to a parent process. This is beneficial in some cases but doesn't work well with ports. That's why I use sudo for ports dev. On package build machines I use dpb instead, which starts as root and handles running pkg_add itself rather than relying on the ports Makefile infrastructure for that. Then the only thing needed for doas is the ability for root to *drop* privileges which is safe without password. (permit keepenv nopass root).
