On 2015/05/18 10:35, Marc Espie wrote: > CVSROOT: /cvs > Module name: ports > Changes by: es...@cvs.openbsd.org 2015/05/18 10:35:15 > > Modified files: > infrastructure/lib/DPB: Clock.pm User.pm > infrastructure/lib/DPB/Job: Fetch.pm Port.pm > > Log message: > use File object (name + user) to ensure watched files are watched with the > correct user. Should fix sthen@'s problems. > > (File interface to be used elsewhere, as it's less cumbersome) >
Perfect, "frozen" is now working correctly. There were a few bumps along the way but multi-uid DPB is now all working really nicely. No more need for contortions to have file fetching working while disallowing network access for the build user, and the separate log user saves a lot of hassle with chowning things. There's another thing I can think of which might be useful. Currently the built packages are owned by the build user. For extra paranoia it would be nice to have them owned by another user (I would use the same uid as log_user) so that the build user doesn't have fs permissions to change them after they have been generated. There's a similar (but less important) thing with distfiles which are owned by the fetch user, on a system with shared distfiles directory it might be helpful to chown them after fetching? Since some people asked off list about setup, I'm now running it like this: FETCH_USER=pfetch LOG_USER=sthen UNPRIV_USER=punpriv FETCH_TIMEOUT=4000 FETCH_JOBS=8 LOCKDIR=/usr/obj/dpb-locks STARTUP=/usr/ports/infrastructure/db/cleanup DIRMODE=0755 STUCK_TIMEOUT=4000 COLOR=1 DEFAULT junk=400 build_user=pbuild i386 squiggles=1 i386-2 sf=1.2 localhost and running with just "dpb -h /path/to/hosts-i386".
