Re: sysutils/coreutils cannot be compiled as root -> idea
On 2023/01/08 22:28, Thomas Dettbarn wrote: > However, my original post was an idea about enhancing security by compiling > everything as non-root by default. Diffs to improve things that don't break existing setup are welcome, but would likely be complicated. The recommended way to build ports is with uid _pbuild which is done by setting PORTS_PRIVSEP=Yes in mk.conf, see the PORTS_PRIVSEP section in bsd.port.mk(5) for info. Slightly less good building as your own uid; building as root is not at all a good idea.
Re: sysutils/coreutils cannot be compiled as root -> idea
On 1/8/2023 4:06 PM, Christian Weisgerber wrote: > > That configure check is from a gnulib macro. It also appears (at > least) in archivers/gtar, where we work around it like this: > > Index: Makefile > === > RCS file: /cvs/ports/sysutils/coreutils/Makefile,v > retrieving revision 1.25 > diff -u -p -r1.25 Makefile > --- Makefile 5 Jun 2022 00:25:07 - 1.25 > +++ Makefile 8 Jan 2023 21:05:05 - > @@ -22,6 +22,8 @@ LIB_DEPENDS = devel/gettext,-runtime > CONFIGURE_STYLE =gnu > CONFIGURE_ARGS = --program-prefix=g \ > --without-libgmp > +# supply result to skip a test that will abort configure if run as root > +CONFIGURE_ENV += gl_cv_func_mknod_works=no > > # Fixes a spurrious test failure > PORTHOME = ${WRKDIR} > OK for me. Thanks. ~Brian
Re: sysutils/coreutils cannot be compiled as root -> idea
On 1/8/23 22:06, Christian Weisgerber wrote: That configure check is from a gnulib macro. It also appears (at least) in archivers/gtar, where we work around it like this: Exactly! An easy fix to the port. (Given that the Maintainer wants to fix it, of course. ;) ) However, my original post was an idea about enhancing security by compiling everything as non-root by default. Thomas
Re: sysutils/coreutils cannot be compiled as root -> idea
Thomas Dettbarn: > So... I noticed that the sysutils/coreutils port cannot be compiled as > root. > checking whether mknod can create fifo without root privileges... > configure: error: in `/usr/ports/pobj/coreutils-9.1/coreutils-9.1': > configure: error: you should not run configure as root That configure check is from a gnulib macro. It also appears (at least) in archivers/gtar, where we work around it like this: Index: Makefile === RCS file: /cvs/ports/sysutils/coreutils/Makefile,v retrieving revision 1.25 diff -u -p -r1.25 Makefile --- Makefile5 Jun 2022 00:25:07 - 1.25 +++ Makefile8 Jan 2023 21:05:05 - @@ -22,6 +22,8 @@ LIB_DEPENDS = devel/gettext,-runtime CONFIGURE_STYLE = gnu CONFIGURE_ARGS = --program-prefix=g \ --without-libgmp +# supply result to skip a test that will abort configure if run as root +CONFIGURE_ENV += gl_cv_func_mknod_works=no # Fixes a spurrious test failure PORTHOME = ${WRKDIR} -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: sysutils/coreutils cannot be compiled as root -> idea
08.01.2023 14:40, Thomas Dettbarn пишет: > Hello! > > > So... I noticed that the sysutils/coreutils port cannot be compiled as > root. Whether or not this is a problem of the port or me being too > naiive when it comes to installing something is up to you. > (pkg_add coreutils fixed my problem) Almost sounds like a feature to me. bsd.port.mk(5) describes PORTS_PRIVSEP which is highly encouraged. > > Anyways, see for yourself: > % cd /usr/ports/sysutils/coreutils > % doas make > ... > checking whether mkfifo rejects trailing slashes... yes > checking whether mkfifoat rejects trailing slashes... yes > checking whether mknod can create fifo without root privileges... > configure: error: in `/usr/ports/pobj/coreutils-9.1/coreutils-9.1': > configure: error: you should not run configure as root (set > FORCE_UNSAFE_CONFIGURE=1 in environment to bypass this check) > See `config.log' for more details > % This is upstream software telling you this, not the ports framework. Add besaid variable to bsd.port.mk(5) CONFIGURE_ENV if you must continue risky root builds. > > > Whilst this is just a minor inconveniance when compiling the port > itself, it is certainly a niusance when this port becomes a dependency > > % cd /usr/ports/graphics/giflib > % make test > ... > checking whether mkfifo rejects trailing slashes... yes > checking whether mkfifoat rejects trailing slashes... yes > checking whether mknod can create fifo without root privileges... > configure: error: in `/usr/ports/pobj/coreutils-9.1/coreutils-9.1': > configure: error: you should not run configure as root (set > FORCE_UNSAFE_CONFIGURE=1 in environment to bypass this check) > See `config.log' for more details > % > > I already contacted the maintainer, he is a strong proponent of > compiling ports as users, not as root. > > So, here is my idea: > > RUNNING THE BUILD STAGE AUTOMATICALLY AS USER See PORTS_PRIVSEP. > > Without having any deeper knowledge about the build process, I imagine > it being something like this: > > make dependencies > make fetch > make checksum > make extract > make build > make package > make install > > So, what I am proposing would be something like this > > make dependencies > make fetch > make checksum > make extract > su - nobody make build > make package > make install > > > Good idea? Bad idea? Awful idea? > > > Thomas >