Re: problems setting up PORTS_PRIVSEP
The man page of bsd.port.mk, particular PORTS_PRIVSEP provides this suggestion 'permit nopass setenv {} user cmd pkg_add' I don't know much about what pkg_add can do, but when building packages with many dependencies, password prompt greets for every dependency, persist option doesn't work across the dependencies for the above command, so it becomes a pain in the ass. I think persist doesn't work because of the setenv part, since it is different for every package/sub-package What do you suggest?
Re: problems setting up PORTS_PRIVSEP
On 2020-03-30, Moises Simon wrote: > permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd /usr/sbin/pkg_add pkg_add can run any command, so if you permit pkg_add without a password, you might as well not require a password for anything.
Re: problems setting up PORTS_PRIVSEP
On Mon, Mar 30, 2020 at 01:22:03PM +0200, Moises Simon wrote: > sirius$ make build > ===> Verifying specs: X11 Xft Xinerama c fontconfig > ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0 > ===> Checking files for dmenu-4.9 > >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz > dmenu-4.9.tar.gz 100% > |*| > 15972 00:00 > >> (SHA256) dmenu-4.9.tar.gz: OK > ===> Extracting for dmenu-4.9 > make: getcwd: Permission denied > *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2648 > '/usr/ports/pobj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu > ...) > *** Error 2 in /usr/ports/mystuff/x11/dmenu > (/usr/ports/infrastructure/mk/bsd.port.mk:2564 'build': @lock=dmenu-4.9; > export _LOCKS_HELD=" d...) > > # Doas log showing some comands failed > > sirius# tail /var/log/doas > Mar 30 12:35:27 sirius doas: msv ran command chmod a+rX > /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed) > Mar 30 12:35:27 sirius doas: msv ran command rm -rf /tmp/dep_cache.6pG4FlqDv > as _pbuild from (failed) > Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/touch > /usr/ports/pobj/dmenu-4.9/.buildwantlibs as _pbuild from (failed) > Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/perl > /usr/ports/infrastructure/bin/portlock > /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock x11/dmenu, as _pbuild from > (failed) > Mar 30 12:35:27 sirius doas: msv ran command install -d /usr/ports/distfiles > as _pfetch from (failed) > Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/ftp -V -m -C -o > /usr/ports/distfiles/dmenu-4.9.tar.gz.part > https://dl.suckless.org/tools/dmenu-4.9.tar.gz as _pfetch from > /usr/ports/distfiles > Mar 30 12:35:27 sirius doas: msv ran command mv > /usr/ports/distfiles/dmenu-4.9.tar.gz.part > /usr/ports/distfiles/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles > Mar 30 12:35:27 sirius doas: msv ran command rm -f > /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock as _pbuild from > /usr/ports/distfiles > Mar 30 12:35:27 sirius doas: msv ran command make do-extract as _pbuild from > (failed) > Mar 30 12:35:27 sirius doas: msv ran command rm -f > /usr/ports/pobj/locks/dmenu-4.9.lock as _pbuild from (failed) > sirius# > After more test the problem wan on my umask 027. /usr/ports/mystuff/x11 whas 750 and that was causing problems for ports under mystuff but not on /usr/ports
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 12:38:19PM +0100, Moises Simon wrote: > On Thu, Mar 26, 2020 at 07:50:27AM -, Stuart Henderson wrote: > > Does _pbuild have write access to /usr/obj? If not, either grant it, > > or create /usr/obj/ports yourself and grant _pbuild write access to > > that. > > > this where the permissions: > > drwxrwxr-x 4 build wobj 512 Mar 25 11:03 /usr/obj > > d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2 > > because that is for building base I have changed > > WRKOBJDIR=/usr/ports/obj > > drwxr-xr-x 3 _pbuild _pbuild 512 Mar 26 10:12 /usr/ports/obj/ > > Now its working. > > Thanks! > > Now i'm getting this: > > sirius$ make package > ===> Checking files for dmenu-4.9 > >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz > dmenu-4.9.tar.gz 100% > |*| > 15972 00:00 > >> (SHA256) dmenu-4.9.tar.gz: OK > ===> Verifying specs: X11 Xft Xinerama c fontconfig > ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0 > ===> Extracting for dmenu-4.9 > make: don't know how to make do-extract > Stop in . > *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641 > '/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu > &...) > *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089 > '/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd > /usr/ports/mystuff/x11/dm...) > *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578 > '_internal-package': @case X${_DEPENDS_CACHE} in X) _DEPENDS_CACHE=$(doas > -...) > *** Error 2 in /usr/ports/mystuff/x11/dmenu > (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9; > export _LOCKS_HELD="...) > > in ports under /usr/ports/mystuff > I just: > > mkdir /usr/ports/mystuff/x11 > cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ > cd /usr/ports/mystuff/x11/dmenu > make package > I'm having lots of problems with permissions under /usr/ports/, I have even delete and fetch new cvs ports following: https://www.openbsd.org/faq/faq5.html#wsrc "Avoid running cvs(1) as root. The /usr/src directory (where your source will typically go) is writable by the wsrc group by default, so add users that need to use cvs(1) to that group. " https://man.openbsd.org/bsd.port.mk#PORTS_PRIVSEP "To work fully, this does require the ports tree to be world- readable, and ${WRKDIR} to be world-readable as well (update-patches and friends won't work otherwise)." doing sirius# find /usr/ports/ -type f -exec chmod 644 {} \+ sirius# find /usr/ports/ -type d -exec chmod 755 {} \+ I get: sirius$ make build ===> Verifying specs: X11 Xft Xinerama c fontconfig ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0 ===> Checking files for dmenu-4.9 >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz dmenu-4.9.tar.gz 100% |*| 15972 00:00 >> (SHA256) dmenu-4.9.tar.gz: OK ===> Extracting for dmenu-4.9 make: getcwd: Permission denied *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2648 '/usr/ports/pobj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu ...) *** Error 2 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2564 'build': @lock=dmenu-4.9; export _LOCKS_HELD=" d...) # Doas log showing some comands failed sirius# tail /var/log/doas Mar 30 12:35:27 sirius doas: msv ran command chmod a+rX /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed) Mar 30 12:35:27 sirius doas: msv ran command rm -rf /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed) Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/touch /usr/ports/pobj/dmenu-4.9/.buildwantlibs as _pbuild from (failed) Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/perl /usr/ports/infrastructure/bin/portlock /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock x11/dmenu, as _pbuild from (failed) Mar 30 12:35:27 sirius doas: msv ran command install -d /usr/ports/distfiles as _pfetch from (failed) Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/ftp -V -m -C -o /usr/ports/distfiles/dmenu-4.9.tar.gz.part https://dl.suckless.org/tools/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles Mar 30 12:35:27 sirius doas: msv ran command mv /usr/ports/distfiles/dmenu-4.9.tar.gz.part /usr/ports/distfiles/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles Mar 30 12:35:27 sirius doas: msv ran command rm -f /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock as _pbuild from /usr/ports/distfiles Mar 30 12:35:27 sirius doas: msv ran command make do-extract as _pbuild from (failed) Mar 30 12:35:27 sirius doas: msv ran command rm -f /usr/ports/pobj/locks/dmenu-4.9.lock as _pbuild from (failed) sirius# # my full doas.conf as it can the one causing problems: permit msv as root permit keepenv msv as root cmd cabal permit nopass msv as root cmd shutdown permit msv a
Re: problems setting up PORTS_PRIVSEP
I didn't knew anything about the mystuff directory. Anyway I tried it. mkdir /usr/ports/mystuff mkdir /usr/ports/mystuff/x11 cp -r /usr/ports/x11/dmenu /usr/ports/mystuff/x11/dmenu chown -R user:wsrc /usr/ports/mystuff cd /usr/ports/mystuff/x11/dmenu make install And it was successfull, so you should check the file permissions in and of mystuff dir. If build was successfull in /usr/ports/x11/dmenu, then permission could be skewed in mystuff.("local user":"wsrc") If no conflict in that, I think you could have messed up your /usr/ports/x11/dmenu dir before copying it, did you edit it?
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 06:04:19PM +0530, putridsou...@gmail.com wrote: > I don't understand the logic of this > > mkdir /usr/ports/mystuff/x11 > cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ > cd /usr/ports/mystuff/x11/dmenu > make package > > to build a package, one usually just runs command > > cd /usr/ports/x11/dmenu > make install > > try and see if this gives an error. > Yes, that works but I want to apply some private patches to the application. Thats why I copye the port to /usr/ports/mystuff, to make local changes
Re: problems setting up PORTS_PRIVSEP
I don't understand the logic of this mkdir /usr/ports/mystuff/x11 cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ cd /usr/ports/mystuff/x11/dmenu make package to build a package, one usually just runs command cd /usr/ports/x11/dmenu make install try and see if this gives an error.
Re: problems setting up PORTS_PRIVSEP
You only need to change permissions on the /usr/obj Run these as root install -dm0775 -o _pbuild -g _pbuild /usr/obj install -dm0775 -o _pbuild -g _pbuild /usr/obj/ports Also the variables DISTDIR and PACKAGE_REPOSITORY are redundant, since those are the default values anyway. In /etc/doas.conf, replace the three commands with their complete paths. This will save a headache, believe me. Setting WRKOBJDIR is not really usefull, the default location(/usr/ports/pobj) works fine, unless it's an aesthetic issue, since it deals mostly with temporary data Only real use according to me, is to set /usr/ports as read-only by pushing all work directories out of it.
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 07:50:27AM -, Stuart Henderson wrote: > Does _pbuild have write access to /usr/obj? If not, either grant it, > or create /usr/obj/ports yourself and grant _pbuild write access to > that. this where the permissions: drwxrwxr-x 4 build wobj 512 Mar 25 11:03 /usr/obj d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2 because that is for building base I have changed WRKOBJDIR=/usr/ports/obj drwxr-xr-x 3 _pbuild _pbuild 512 Mar 26 10:12 /usr/ports/obj/ Now its working. Thanks! Now i'm getting this: sirius$ make package ===> Checking files for dmenu-4.9 >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz dmenu-4.9.tar.gz 100% |*| 15972 00:00 >> (SHA256) dmenu-4.9.tar.gz: OK ===> Verifying specs: X11 Xft Xinerama c fontconfig ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0 ===> Extracting for dmenu-4.9 make: don't know how to make do-extract Stop in . *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641 '/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu &...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089 '/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd /usr/ports/mystuff/x11/dm...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578 '_internal-package': @case X${_DEPENDS_CACHE} in X) _DEPENDS_CACHE=$(doas -...) *** Error 2 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9; export _LOCKS_HELD="...) in ports under /usr/ports/mystuff I just: mkdir /usr/ports/mystuff/x11 cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ cd /usr/ports/mystuff/x11/dmenu make package But it doesn't seems related to PORT_PRIVSEP, I have build wmutils doing the same without problems > Allowing pkg_add with nopass opens a way for your account to get root > without a password. > > Since doas "persist" doesn't allow password persistence with how ports > uses it, I use sudo not doas on ports dev machines. (I use doas on > ports build machines, but dpb manages running pkg_add in that case, > and is started as root so it only needs to drop privs rather than > raise them). > So dpb for building just 3 or 4 ports is over-kill right?
Re: problems setting up PORTS_PRIVSEP
On Wed, 25 Mar 2020 at 11:19, Moises Simon wrote: > > Hi misc, > > I'm trying to set the ports system to use PORT_PRIVSEP > according to bsd.port.mk(5) and > https://www.openbsd.org/faq/ports/ports.html#PortsConfig > > but I'm getting the following error: > > sirius$ make fetch > mkdir /usr/obj/ports: Permission denied at > /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in > /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 > 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="... > > even after doing make fix-permissions. I'm not seens something. > > cat /etc/mk.conf > SUDO=doas > CLEANDEPENDS=Yes > PORTS_PRIVSEP=Yes > WRKOBJDIR=/usr/obj/ports > DISTDIR=/usr/ports/distfiles > PACKAGE_REPOSITORY=/usr/ports/packages > > cat /etc/doas.conf > permit nopass msv cmd touch > permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add > permit nopass setenv { TERM } msv cmd pkg_delete > > permit keepenv nopass msv as _pbuild > permit keepenv nopass msv as _pfetch > > permit msv as root > Hi, have you given a look at this tutorial: https://dataswamp.org/~solene/2020-01-11-privsep.html -- Ottavio Caruso
Re: problems setting up PORTS_PRIVSEP
On 2020-03-25, Moises Simon wrote: > Hi misc, > > I'm trying to set the ports system to use PORT_PRIVSEP > according to bsd.port.mk(5) and > https://www.openbsd.org/faq/ports/ports.html#PortsConfig > > but I'm getting the following error: > > sirius$ make fetch > mkdir /usr/obj/ports: Permission denied at > /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in > /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 > 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="... Does _pbuild have write access to /usr/obj? If not, either grant it, or create /usr/obj/ports yourself and grant _pbuild write access to that. > even after doing make fix-permissions. I'm not seens something. > > cat /etc/mk.conf > SUDO=doas > CLEANDEPENDS=Yes > PORTS_PRIVSEP=Yes > WRKOBJDIR=/usr/obj/ports > DISTDIR=/usr/ports/distfiles > PACKAGE_REPOSITORY=/usr/ports/packages > > cat /etc/doas.conf > permit nopass msv cmd touch > permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add Allowing pkg_add with nopass opens a way for your account to get root without a password. Since doas "persist" doesn't allow password persistence with how ports uses it, I use sudo not doas on ports dev machines. (I use doas on ports build machines, but dpb manages running pkg_add in that case, and is started as root so it only needs to drop privs rather than raise them).
problems setting up PORTS_PRIVSEP
Hi misc, I'm trying to set the ports system to use PORT_PRIVSEP according to bsd.port.mk(5) and https://www.openbsd.org/faq/ports/ports.html#PortsConfig but I'm getting the following error: sirius$ make fetch mkdir /usr/obj/ports: Permission denied at /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="... even after doing make fix-permissions. I'm not seens something. cat /etc/mk.conf SUDO=doas CLEANDEPENDS=Yes PORTS_PRIVSEP=Yes WRKOBJDIR=/usr/obj/ports DISTDIR=/usr/ports/distfiles PACKAGE_REPOSITORY=/usr/ports/packages cat /etc/doas.conf permit nopass msv cmd touch permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add permit nopass setenv { TERM } msv cmd pkg_delete permit keepenv nopass msv as _pbuild permit keepenv nopass msv as _pfetch permit msv as root