On 2020/03/31 11:31, putridsoul66@gmail.com wrote:
> The man page of bsd.port.mk, particular PORTS_PRIVSEP
> provides this suggestion
>
> 'permit nopass setenv {....} user cmd pkg_add'
personally, I don't want my normal userid to be able to run things as
root unless a password was entered recently, so I don't do that.
Others have different opinions on that.
> I don't know much about what pkg_add can do, but when
As you would expect for something which can install packages, it can
install files on the system, and it can run commands. Trivial example:
$ printf '@name foo-1\n@exec head -1 /etc/master.passwd\n' > +CONTENTS
$ tar czf foo-1.tgz +CONTENTS
$ doas pkg_add -D unsigned ./foo-1.tgz
|No change in quirks-3.288Use of uninitialized value in hash element at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 296.
Use of uninitialized value in hash element at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 297.
Use of uninitialized value $path in hash element at /usr/local/libdata/perl5/site_perl/OpenBSD/Quirks.pm line 1688.
Use of uninitialized value in hash element at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 296.
root:$2b$12$<REDACTED>:0:0:daemon:0:0:Charlie &:/root:/bin/ksh
foo-1: ok
Or it could be used to install a setuid root shell or something.
> building packages with many dependencies, password prompt
> greets for every dependency, persist option doesn't work
> across the dependencies for the above command,
> so it becomes a pain in the ass.
>
> I think persist doesn't work because of the setenv part,
> since it is different for every package/sub-package
Persist is working as designed - it has an intentional feature to prevent
passing authorisation "upwards" to a parent process. This is beneficial in
some cases but doesn't work well with ports. That's why I use sudo for
ports dev.
On package build machines I use dpb instead, which starts as root and
handles running pkg_add itself rather than relying on the ports Makefile
infrastructure for that. Then the only thing needed for doas is the
ability for root to *drop* privileges which is safe without password.
(permit keepenv nopass root).
No comments:
Post a Comment