On 2015/11/05 16:28, Raf Czlonka wrote: > On Thu, Nov 05, 2015 at 02:32:57PM GMT, Stuart Henderson wrote: > > > yay/nay? > > Personally, I think that parts of faq15 should simply be removed and > replaced with links to faq/ports - especially since some of it is nearly > identical. > > Is there any reason why information is duplicated here?
lack of time ;) > I hadn't had a chance to compile a diff yet, though - lack of time ATM. > > In terms of USE_SYSTRACE, yes - given that this breaks build on some > ports, removing it makes sense IMO. > > Regards, > > Raf > > > Index: faq15.html > > =================================================================== > > RCS file: /cvs/www/faq/faq15.html,v > > retrieving revision 1.114 > > diff -u -p -r1.114 faq15.html > > --- faq15.html 2 Nov 2015 03:35:44 -0000 1.114 > > +++ faq15.html 5 Nov 2015 14:26:10 -0000 > > @@ -849,8 +849,8 @@ Because the OpenBSD project does not hav > > the source code of all software in the ports tree, you can configure the > > ports system to take a few safety precautions. > > The ports infrastructure is able to perform all building as a regular user, > > -and perform only those steps that require superuser privileges as root. > > -Examples are the <tt>fake</tt> and <tt>install</tt> make targets. > > +and perform only those steps that require superuser privileges as root, for > > +example the <tt>install</tt> make target. > > However, because root privileges are always required at some point, > > the ports system will not save you when you decide to build a malicious > > application. > > @@ -879,9 +879,8 @@ This requires granting three permissions > > by adding the following line to to > > <a > > href="http://www.openbsd.org/cgi-bin/man.cgi?query=mk.conf&sektion=5";>mk.conf(5)</a>: > > <blockquote><pre> > > - SUDO=/usr/bin/doas > > - </pre></blockquote> > > - </ul> > > + SUDO=/usr/bin/doas</pre> > > + </blockquote></ul> > > > > <li>You can modify the ownerships of the ports tree so that you can write > > there as a regular user. > > @@ -892,20 +891,6 @@ underlying directories are made group wr > > # <b>chgrp -R wsrc /usr/ports</b> > > # <b>find /usr/ports -type d -exec chmod g+w {} \;</b> > > </pre></blockquote> > > - > > -<li>You can have the ports system use > > -<a > > href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1";>systrace(1)</a> > > -by adding the following to <tt>/etc/mk.conf</tt> > > - > > -<blockquote><pre> > > -USE_SYSTRACE=Yes > > -</pre></blockquote> > > - > > -This enforces the build procedure to stay inside allowed directories, and > > -prohibits writing in illegal places, thereby considerably reducing the risk > > -of a damaged system. > > -Note that the use of systrace(1) adds about 20% overhead in build time. > > - > > </ul> > > > > <p> > > >
