Tuesday, May 30, 2023

Re: [new] sysutils/lsblk

On 30.05.23 20:00, Dave Voutila wrote:
>
> Benjamin Stürz <benni+openbsd@stuerz.xyz> writes:
>
>> Hi Omar,
>>
>> On 30.05.23 19:03, Omar Polo wrote:
>>> Hello,
>>> I remember that when I started using OpenBSD I kind of missed
>>> lsblk...
>>> Now I wouldn't look back probably, but it could be nice for newcommers
>>> (at least :-)
>> Yeah, that's the reason why I made this tool.
>> Using sysctl + disklabel + df is a little annoying.
>>
>>> Bummer that it needs superuser privileges to show the list, but I
>>> haven't looked at how it's implemented so don't know.
>> Actually if you do
>> # chgrp operator /usr/local/sbin/lsblk
>> # chmod g+s /usr/local/sbin/lslbk
>
> Adding a setguid program even in ports seems like a bad idea to me.
There isn't anything related to set*id in the program nor the port.
Exceptions: the README and the *optional* `make unroot` rule.
But I thought the same, so I didn't `make unroot` in the port.

Explanation:
It just so happens that if your (egid == operator),
that you have read-only access to disk devices in /dev,
allowing you to read the disklabel(5) and use bio(4).

IMO if you want to follow OpenBSD's principle of least privilege,
you should follow my steps and not run it as root instead,
since root has read-write access to everything in /dev.

My lsblk does utilize pledge(2) & unveil(2) and opendev(3)s things with
only O_RDONLY set, so it should be safe enough (I guess).
>
>> or
>> # make unroot
>> you can run it as a normal user.
>>
>> But I didn't know if I should include it in the port.
>>
>>> The port itself looks fine to me, except for the permissions of
>>> distinfo and PLIST... All files should be 0644 and directories 0755.
>> Fixed, the problem was my umask of 027.
>>
>>> No need to send an updated tarball just for this however, whoever will
>>> import it can easily fix it.
>> Did it anyway + for the reasons below.
>>
>>> OK op@ to import with perms fixed.
>>> Now, some misc nits that don't really affect the port:
>>> - you could set yourself as MAINTAINER for the port. It is not
>>> required of course, but seems you seem to be the upstream too
>>> you're qualified enough I'd say ;-)
>> Done
>>
>>> - I'd drop -Werror from release tarballs. While it is super-useful
>>> during development, it is a super-pita for packagers when the C
>>> compiler gets updated.
>> Done
>>
>> Best regards,
>> Benjamin Stürz
>>
>> [2. application/octet-stream; lsblk-1.2.3.tgz]...

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)