Title: Using the OpenBSD ports tree with dedicated users | |
Author: Solène | |
Date: 11 January 2020 | |
Tags: openbsd | |
Description: | |
If you want to contribute to OpenBSD ports collection you will want to | |
enable | |
the`PORTS_PRIVSEP` feature. When this variable is set, ports system | |
will use | |
dedicated users for tasks. | |
Source tarballs will be downloaded by the user | |
_pfetch and all compilation and packaging | |
will be done by the user _pbuild. | |
Those users are created at system install and pf have a default rule to | |
prevent _pbuild user doing network access. This will prevent ports | |
from doing network stuff, and this is what you want. | |
This adds a big security to the porting process and any malicious code | |
run by ports being compiled will be harmless. | |
In order to enable this feature, a few changes must be made. | |
The file /etc/mk.conf must contains | |
PORTS_PRIVSEP=yes | |
SUDO=doas | |
Then, /etc/doas.conf must allows your user to become \_pfetch and | |
\_pbuild | |
permit keepenv nopass solene as _pbuild | |
permit keepenv nopass solene as _pfetch | |
permit keepenv solene as root | |
If you don't want to use the last line, there is an explanation in the | |
bsd.port.mk(5) man page. | |
Finally, within the ports tree, some permissions must be changed. | |
# chown -R _pfetch:_pfetch /usr/ports/distfiles | |
# chown -R _pbuild:_pbuild /usr/ports/{packages,plist,pobj,bulk} | |
If directories doesn't exist yet on your system (this is the case on a | |
fresh | |
ports checkout / untar), you can create them with the commands: | |
# install -d -o _pfetch -g _pfetch /usr/ports/distfiles | |
# install -d -o _pbuild -g _pbuild | |
/usr/ports/{packages,plist,pobj,bulk} | |
Now, when you run a command in the ports tree, privileges should be | |
dropped to | |
according users. |