 |
Title: Using the OpenBSD ports tree with dedicated users |
|
Author: Solène |
|
Date: 11 January 2020 |
|
Tags: openbsd |
|
Description: |
|
|
|
If you want to contribute to OpenBSD ports collection you will want to |
|
enable |
|
the`PORTS_PRIVSEP` feature. When this variable is set, ports system |
|
will use |
|
dedicated users for tasks. |
|
|
|
Source tarballs will be downloaded by the user |
|
_pfetch and all compilation and packaging |
|
will be done by the user _pbuild. |
|
|
|
Those users are created at system install and pf have a default rule to |
|
prevent _pbuild user doing network access. This will prevent ports |
|
from doing network stuff, and this is what you want. |
|
|
|
This adds a big security to the porting process and any malicious code |
|
run by ports being compiled will be harmless. |
|
|
|
In order to enable this feature, a few changes must be made. |
|
|
|
The file /etc/mk.conf must contains |
|
|
|
PORTS_PRIVSEP=yes |
|
SUDO=doas |
|
|
|
Then, /etc/doas.conf must allows your user to become \_pfetch and |
|
\_pbuild |
|
|
|
permit keepenv nopass solene as _pbuild |
|
permit keepenv nopass solene as _pfetch |
|
permit keepenv solene as root |
|
|
|
If you don't want to use the last line, there is an explanation in the |
|
bsd.port.mk(5) man page. |
|
|
|
Finally, within the ports tree, some permissions must be changed. |
|
|
|
# chown -R _pfetch:_pfetch /usr/ports/distfiles |
|
# chown -R _pbuild:_pbuild /usr/ports/{packages,plist,pobj,bulk} |
|
|
|
If directories doesn't exist yet on your system (this is the case on a |
|
fresh |
|
ports checkout / untar), you can create them with the commands: |
|
|
|
# install -d -o _pfetch -g _pfetch /usr/ports/distfiles |
|
# install -d -o _pbuild -g _pbuild |
|
/usr/ports/{packages,plist,pobj,bulk} |
|
|
|
Now, when you run a command in the ports tree, privileges should be |
|
dropped to |
|
according users. |
