Re: problems setting up PORTS_PRIVSEP
The man page of bsd.port.mk, particular PORTS_PRIVSEP
provides this suggestion
'permit nopass setenv {} user cmd pkg_add'
I don't know much about what pkg_add can do, but when
building packages with many dependencies, password prompt
greets for every dependency, persist option doesn't work
across the dependencies for the above command,
so it becomes a pain in the ass.
I think persist doesn't work because of the setenv part,
since it is different for every package/sub-package
What do you suggest?
Re: problems setting up PORTS_PRIVSEP
On 2020-03-30, Moises Simon wrote:
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd /usr/sbin/pkg_add
pkg_add can run any command, so if you permit pkg_add without a
password, you might as well not require a password for anything.
Re: problems setting up PORTS_PRIVSEP
On Mon, Mar 30, 2020 at 01:22:03PM +0200, Moises Simon wrote: > sirius$ make build > ===> Verifying specs: X11 Xft Xinerama c fontconfig > ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0 > ===> Checking files for dmenu-4.9 > >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz > dmenu-4.9.tar.gz 100% > |*| > 15972 00:00 > >> (SHA256) dmenu-4.9.tar.gz: OK > ===> Extracting for dmenu-4.9 > make: getcwd: Permission denied > *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2648 > '/usr/ports/pobj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu > ...) > *** Error 2 in /usr/ports/mystuff/x11/dmenu > (/usr/ports/infrastructure/mk/bsd.port.mk:2564 'build': @lock=dmenu-4.9; > export _LOCKS_HELD=" d...) > > # Doas log showing some comands failed > > sirius# tail /var/log/doas > Mar 30 12:35:27 sirius doas: msv ran command chmod a+rX > /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed) > Mar 30 12:35:27 sirius doas: msv ran command rm -rf /tmp/dep_cache.6pG4FlqDv > as _pbuild from (failed) > Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/touch > /usr/ports/pobj/dmenu-4.9/.buildwantlibs as _pbuild from (failed) > Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/perl > /usr/ports/infrastructure/bin/portlock > /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock x11/dmenu, as _pbuild from > (failed) > Mar 30 12:35:27 sirius doas: msv ran command install -d /usr/ports/distfiles > as _pfetch from (failed) > Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/ftp -V -m -C -o > /usr/ports/distfiles/dmenu-4.9.tar.gz.part > https://dl.suckless.org/tools/dmenu-4.9.tar.gz as _pfetch from > /usr/ports/distfiles > Mar 30 12:35:27 sirius doas: msv ran command mv > /usr/ports/distfiles/dmenu-4.9.tar.gz.part > /usr/ports/distfiles/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles > Mar 30 12:35:27 sirius doas: msv ran command rm -f > /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock as _pbuild from > /usr/ports/distfiles > Mar 30 12:35:27 sirius doas: msv ran command make do-extract as _pbuild from > (failed) > Mar 30 12:35:27 sirius doas: msv ran command rm -f > /usr/ports/pobj/locks/dmenu-4.9.lock as _pbuild from (failed) > sirius# > After more test the problem wan on my umask 027. /usr/ports/mystuff/x11 whas 750 and that was causing problems for ports under mystuff but not on /usr/ports
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 12:38:19PM +0100, Moises Simon wrote:
> On Thu, Mar 26, 2020 at 07:50:27AM -, Stuart Henderson wrote:
> > Does _pbuild have write access to /usr/obj? If not, either grant it,
> > or create /usr/obj/ports yourself and grant _pbuild write access to
> > that.
>
>
> this where the permissions:
>
> drwxrwxr-x 4 build wobj 512 Mar 25 11:03 /usr/obj
>
> d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2
>
> because that is for building base I have changed
>
> WRKOBJDIR=/usr/ports/obj
>
> drwxr-xr-x 3 _pbuild _pbuild 512 Mar 26 10:12 /usr/ports/obj/
>
> Now its working.
>
> Thanks!
>
> Now i'm getting this:
>
> sirius$ make package
> ===> Checking files for dmenu-4.9
> >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
> dmenu-4.9.tar.gz 100%
> |*|
> 15972 00:00
> >> (SHA256) dmenu-4.9.tar.gz: OK
> ===> Verifying specs: X11 Xft Xinerama c fontconfig
> ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
> ===> Extracting for dmenu-4.9
> make: don't know how to make do-extract
> Stop in .
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641
> '/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu
> &...)
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089
> '/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd
> /usr/ports/mystuff/x11/dm...)
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578
> '_internal-package': @case X${_DEPENDS_CACHE} in X) _DEPENDS_CACHE=$(doas
> -...)
> *** Error 2 in /usr/ports/mystuff/x11/dmenu
> (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9;
> export _LOCKS_HELD="...)
>
> in ports under /usr/ports/mystuff
> I just:
>
> mkdir /usr/ports/mystuff/x11
> cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
> cd /usr/ports/mystuff/x11/dmenu
> make package
>
I'm having lots of problems with permissions under /usr/ports/, I have even
delete and fetch new cvs ports following:
https://www.openbsd.org/faq/faq5.html#wsrc
"Avoid running cvs(1) as root. The /usr/src directory (where your source will
typically go) is writable by the wsrc group by default, so add users that need
to use cvs(1) to that group. "
https://man.openbsd.org/bsd.port.mk#PORTS_PRIVSEP
"To work fully, this does require the ports tree to be world- readable, and
${WRKDIR} to be world-readable as well (update-patches and friends won't work
otherwise)."
doing
sirius# find /usr/ports/ -type f -exec chmod 644 {} \+
sirius# find /usr/ports/ -type d -exec chmod 755 {} \+
I get:
sirius$ make build
===> Verifying specs: X11 Xft Xinerama c fontconfig
===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
===> Checking files for dmenu-4.9
>> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
dmenu-4.9.tar.gz 100%
|*|
15972 00:00
>> (SHA256) dmenu-4.9.tar.gz: OK
===> Extracting for dmenu-4.9
make: getcwd: Permission denied
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2648
'/usr/ports/pobj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu ...)
*** Error 2 in /usr/ports/mystuff/x11/dmenu
(/usr/ports/infrastructure/mk/bsd.port.mk:2564 'build': @lock=dmenu-4.9;
export _LOCKS_HELD=" d...)
# Doas log showing some comands failed
sirius# tail /var/log/doas
Mar 30 12:35:27 sirius doas: msv ran command chmod a+rX
/tmp/dep_cache.6pG4FlqDv as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command rm -rf /tmp/dep_cache.6pG4FlqDv as
_pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/touch
/usr/ports/pobj/dmenu-4.9/.buildwantlibs as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/perl
/usr/ports/infrastructure/bin/portlock
/usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock x11/dmenu, as _pbuild from
(failed)
Mar 30 12:35:27 sirius doas: msv ran command install -d /usr/ports/distfiles as
_pfetch from (failed)
Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/ftp -V -m -C -o
/usr/ports/distfiles/dmenu-4.9.tar.gz.part
https://dl.suckless.org/tools/dmenu-4.9.tar.gz as _pfetch from
/usr/ports/distfiles
Mar 30 12:35:27 sirius doas: msv ran command mv
/usr/ports/distfiles/dmenu-4.9.tar.gz.part
/usr/ports/distfiles/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles
Mar 30 12:35:27 sirius doas: msv ran command rm -f
/usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock as _pbuild from
/usr/ports/distfiles
Mar 30 12:35:27 sirius doas: msv ran command make do-extract as _pbuild from
(failed)
Mar 30 12:35:27 sirius doas: msv ran command rm -f
/usr/ports/pobj/locks/dmenu-4.9.lock as _pbuild from (failed)
sirius#
# my full doas.conf as it can the one causing problems:
permit msv as root
permit keepenv msv as root cmd cabal
permit nopass msv as root cmd shutdown
permit msv
Re: problems setting up PORTS_PRIVSEP
I didn't knew anything about the mystuff
directory. Anyway I tried it.
mkdir /usr/ports/mystuff
mkdir /usr/ports/mystuff/x11
cp -r /usr/ports/x11/dmenu /usr/ports/mystuff/x11/dmenu
chown -R user:wsrc /usr/ports/mystuff
cd /usr/ports/mystuff/x11/dmenu
make install
And it was successfull, so you should check the
file permissions in and of mystuff dir.
If build was successfull in /usr/ports/x11/dmenu, then
permission could be skewed in mystuff.("local user":"wsrc")
If no conflict in that, I think you could have messed up
your /usr/ports/x11/dmenu dir before copying it,
did you edit it?
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 06:04:19PM +0530, putridsou...@gmail.com wrote: > I don't understand the logic of this > > mkdir /usr/ports/mystuff/x11 > cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ > cd /usr/ports/mystuff/x11/dmenu > make package > > to build a package, one usually just runs command > > cd /usr/ports/x11/dmenu > make install > > try and see if this gives an error. > Yes, that works but I want to apply some private patches to the application. Thats why I copye the port to /usr/ports/mystuff, to make local changes
Re: problems setting up PORTS_PRIVSEP
I don't understand the logic of this mkdir /usr/ports/mystuff/x11 cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ cd /usr/ports/mystuff/x11/dmenu make package to build a package, one usually just runs command cd /usr/ports/x11/dmenu make install try and see if this gives an error.
Re: problems setting up PORTS_PRIVSEP
You only need to change permissions on the /usr/obj Run these as root install -dm0775 -o _pbuild -g _pbuild /usr/obj install -dm0775 -o _pbuild -g _pbuild /usr/obj/ports Also the variables DISTDIR and PACKAGE_REPOSITORY are redundant, since those are the default values anyway. In /etc/doas.conf, replace the three commands with their complete paths. This will save a headache, believe me. Setting WRKOBJDIR is not really usefull, the default location(/usr/ports/pobj) works fine, unless it's an aesthetic issue, since it deals mostly with temporary data Only real use according to me, is to set /usr/ports as read-only by pushing all work directories out of it.
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 07:50:27AM -, Stuart Henderson wrote:
> Does _pbuild have write access to /usr/obj? If not, either grant it,
> or create /usr/obj/ports yourself and grant _pbuild write access to
> that.
this where the permissions:
drwxrwxr-x 4 build wobj 512 Mar 25 11:03 /usr/obj
d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2
because that is for building base I have changed
WRKOBJDIR=/usr/ports/obj
drwxr-xr-x 3 _pbuild _pbuild 512 Mar 26 10:12 /usr/ports/obj/
Now its working.
Thanks!
Now i'm getting this:
sirius$ make package
===> Checking files for dmenu-4.9
>> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
dmenu-4.9.tar.gz 100%
|*|
15972 00:00
>> (SHA256) dmenu-4.9.tar.gz: OK
===> Verifying specs: X11 Xft Xinerama c fontconfig
===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
===> Extracting for dmenu-4.9
make: don't know how to make do-extract
Stop in .
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641
'/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu &...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089
'/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd /usr/ports/mystuff/x11/dm...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578
'_internal-package': @case X${_DEPENDS_CACHE} in X) _DEPENDS_CACHE=$(doas -...)
*** Error 2 in /usr/ports/mystuff/x11/dmenu
(/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9;
export _LOCKS_HELD="...)
in ports under /usr/ports/mystuff
I just:
mkdir /usr/ports/mystuff/x11
cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
cd /usr/ports/mystuff/x11/dmenu
make package
But it doesn't seems related to PORT_PRIVSEP, I have build wmutils
doing the same without problems
> Allowing pkg_add with nopass opens a way for your account to get root
> without a password.
>
> Since doas "persist" doesn't allow password persistence with how ports
> uses it, I use sudo not doas on ports dev machines. (I use doas on
> ports build machines, but dpb manages running pkg_add in that case,
> and is started as root so it only needs to drop privs rather than
> raise them).
>
So dpb for building just 3 or 4 ports is over-kill right?
Re: problems setting up PORTS_PRIVSEP
On Wed, 25 Mar 2020 at 11:19, Moises Simon wrote:
>
> Hi misc,
>
> I'm trying to set the ports system to use PORT_PRIVSEP
> according to bsd.port.mk(5) and
> https://www.openbsd.org/faq/ports/ports.html#PortsConfig
>
> but I'm getting the following error:
>
> sirius$ make fetch
> mkdir /usr/obj/ports: Permission denied at
> /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in
> /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
> 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...
>
> even after doing make fix-permissions. I'm not seens something.
>
> cat /etc/mk.conf
> SUDO=doas
> CLEANDEPENDS=Yes
> PORTS_PRIVSEP=Yes
> WRKOBJDIR=/usr/obj/ports
> DISTDIR=/usr/ports/distfiles
> PACKAGE_REPOSITORY=/usr/ports/packages
>
> cat /etc/doas.conf
> permit nopass msv cmd touch
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add
> permit nopass setenv { TERM } msv cmd pkg_delete
>
> permit keepenv nopass msv as _pbuild
> permit keepenv nopass msv as _pfetch
>
> permit msv as root
>
Hi, have you given a look at this tutorial:
https://dataswamp.org/~solene/2020-01-11-privsep.html
--
Ottavio Caruso
Re: problems setting up PORTS_PRIVSEP
On 2020-03-25, Moises Simon wrote:
> Hi misc,
>
> I'm trying to set the ports system to use PORT_PRIVSEP
> according to bsd.port.mk(5) and
> https://www.openbsd.org/faq/ports/ports.html#PortsConfig
>
> but I'm getting the following error:
>
> sirius$ make fetch
> mkdir /usr/obj/ports: Permission denied at
> /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in
> /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
> 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...
Does _pbuild have write access to /usr/obj? If not, either grant it,
or create /usr/obj/ports yourself and grant _pbuild write access to
that.
> even after doing make fix-permissions. I'm not seens something.
>
> cat /etc/mk.conf
> SUDO=doas
> CLEANDEPENDS=Yes
> PORTS_PRIVSEP=Yes
> WRKOBJDIR=/usr/obj/ports
> DISTDIR=/usr/ports/distfiles
> PACKAGE_REPOSITORY=/usr/ports/packages
>
> cat /etc/doas.conf
> permit nopass msv cmd touch
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add
Allowing pkg_add with nopass opens a way for your account to get root
without a password.
Since doas "persist" doesn't allow password persistence with how ports
uses it, I use sudo not doas on ports dev machines. (I use doas on
ports build machines, but dpb manages running pkg_add in that case,
and is started as root so it only needs to drop privs rather than
raise them).
