Re: make build as root fails when SUDO=doas
On Mon, Dec 10, 2018 at 01:33:49PM +0100, Solene Rapenne wrote: > hi > > I have SUDO=doas in /etc/mk.conf for ports, this is preventing a `make build` > in /usr/src as root if /etc/doas.conf doesn't have a line "permit nopass root > as root". This fails when using "doas" in regress/usr/bin/ssh/ > > doas: Operation not permitted > *** Error 1 in regress/usr.bin/ssh (Makefile:212 'clean') > *** Error 1 in regress/usr.bin (:48 'cleandir') > *** Error 1 in regress (:48 'cleandir') > *** Error 1 in . (:48 'cleandir') > *** Error 1 in . (Makefile:86 'do-build') > *** Error 1 in /usr/src (Makefile:74 'build') > > > the issue comes from the 3rd line of that extract from Makefile:212 > > clean: ${CLEAN_SUBDIR} > rm -f ${CLEANFILES} > test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > rm -rf .putty > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > having SUDO=doas set and then, it's not an issue anymore? I have the following line in my /etc/mk.conf: SUDO!!=[ `id -u` -ne 0 ] && echo /usr/bin/doas; true
Re: make build as root fails when SUDO=doas
Solene Rapenne wrote: > Not sure how to fix it. Maybe people shouldn't try to compile as root when > having SUDO=doas set and then, it's not an issue anymore? yeah, i would say this is an issue of your own making. you ask to use doas, make is going to use doas.
Re: make build as root fails when SUDO=doas
On Mon, Dec 10, 2018 at 08:17:04PM +0100, Anton Lindqvist wrote: > On Mon, Dec 10, 2018 at 01:33:49PM +0100, Solene Rapenne wrote: > > hi > > > > I have SUDO=doas in /etc/mk.conf for ports, this is preventing a `make > > build` > > in /usr/src as root if /etc/doas.conf doesn't have a line "permit nopass > > root > > as root". This fails when using "doas" in regress/usr/bin/ssh/ > > > > doas: Operation not permitted > > *** Error 1 in regress/usr.bin/ssh (Makefile:212 'clean') > > *** Error 1 in regress/usr.bin (:48 'cleandir') > > *** Error 1 in regress (:48 'cleandir') > > *** Error 1 in . (:48 'cleandir') > > *** Error 1 in . (Makefile:86 'do-build') > > *** Error 1 in /usr/src (Makefile:74 'build') > > > > > > the issue comes from the 3rd line of that extract from Makefile:212 > > > > clean: ${CLEAN_SUBDIR} > > rm -f ${CLEANFILES} > > test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > > rm -rf .putty > > > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > > having SUDO=doas set and then, it's not an issue anymore? > > I have the following line in my /etc/mk.conf: > > SUDO!!=[ `id -u` -ne 0 ] && echo /usr/bin/doas; true That's not really a solution. It means you are going to run this each time you run any bsd makefile.
Re: make build as root fails when SUDO=doas
On Mon, Dec 10, 2018 at 03:37:48PM -0500, Ted Unangst wrote: > Solene Rapenne wrote: > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > > having SUDO=doas set and then, it's not an issue anymore? > > yeah, i would say this is an issue of your own making. you ask to use doas, > make is going to use doas. This is not really acceptable, ports and src should play nice with each other, usually.
Re: make build as root fails when SUDO=doas
On 2018/12/10 23:28, Marc Espie wrote: > On Mon, Dec 10, 2018 at 08:17:04PM +0100, Anton Lindqvist wrote: > > On Mon, Dec 10, 2018 at 01:33:49PM +0100, Solene Rapenne wrote: > > > hi > > > > > > I have SUDO=doas in /etc/mk.conf for ports, this is preventing a `make > > > build` > > > in /usr/src as root if /etc/doas.conf doesn't have a line "permit nopass > > > root > > > as root". This fails when using "doas" in regress/usr/bin/ssh/ > > > > > > doas: Operation not permitted > > > *** Error 1 in regress/usr.bin/ssh (Makefile:212 'clean') > > > *** Error 1 in regress/usr.bin (:48 'cleandir') > > > *** Error 1 in regress (:48 'cleandir') > > > *** Error 1 in . (:48 'cleandir') > > > *** Error 1 in . (Makefile:86 'do-build') > > > *** Error 1 in /usr/src (Makefile:74 'build') > > > > > > > > > the issue comes from the 3rd line of that extract from Makefile:212 > > > > > > clean: ${CLEAN_SUBDIR} > > > rm -f ${CLEANFILES} > > > test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > > > rm -rf .putty > > > > > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > > > having SUDO=doas set and then, it's not an issue anymore? > > > > I have the following line in my /etc/mk.conf: > > > > SUDO!!=[ `id -u` -ne 0 ] && echo /usr/bin/doas; true > > That's not really a solution. It means you are going to run this > each time you run any bsd makefile. > I might be missing something, but why not just use the "permit nopass root as root" line? root can already do those things so it doesn't seem to be protecting from anything ..
Re: make build as root fails when SUDO=doas
On Mon, Dec 10, 2018 at 01:33:49PM +0100, Solene Rapenne wrote: > hi > > I have SUDO=doas in /etc/mk.conf for ports, this is preventing a `make build` > in /usr/src as root if /etc/doas.conf doesn't have a line "permit nopass root > as root". This fails when using "doas" in regress/usr/bin/ssh/ > > doas: Operation not permitted > *** Error 1 in regress/usr.bin/ssh (Makefile:212 'clean') > *** Error 1 in regress/usr.bin (:48 'cleandir') > *** Error 1 in regress (:48 'cleandir') > *** Error 1 in . (:48 'cleandir') > *** Error 1 in . (Makefile:86 'do-build') > *** Error 1 in /usr/src (Makefile:74 'build') > > > the issue comes from the 3rd line of that extract from Makefile:212 > > clean: ${CLEAN_SUBDIR} > rm -f ${CLEANFILES} > test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > rm -rf .putty > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > having SUDO=doas set and then, it's not an issue anymore? There are several possibilities: - add a test similar to the one in src/Makefile, e.g., not run sudo if you're root already (relatively complicated for no obvious benefit) - try to remove the files normally first rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} this should actually fix the issue. Any other directory with that problem ?
Re: make build as root fails when SUDO=doas
Marc Espie wrote: > On Mon, Dec 10, 2018 at 01:33:49PM +0100, Solene Rapenne wrote: > > hi > > > > I have SUDO=doas in /etc/mk.conf for ports, this is preventing a `make > > build` > > in /usr/src as root if /etc/doas.conf doesn't have a line "permit nopass > > root > > as root". This fails when using "doas" in regress/usr/bin/ssh/ > > > > doas: Operation not permitted > > *** Error 1 in regress/usr.bin/ssh (Makefile:212 'clean') > > *** Error 1 in regress/usr.bin (:48 'cleandir') > > *** Error 1 in regress (:48 'cleandir') > > *** Error 1 in . (:48 'cleandir') > > *** Error 1 in . (Makefile:86 'do-build') > > *** Error 1 in /usr/src (Makefile:74 'build') > > > > > > the issue comes from the 3rd line of that extract from Makefile:212 > > > > clean: ${CLEAN_SUBDIR} > > rm -f ${CLEANFILES} > > test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > > rm -rf .putty > > > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > > having SUDO=doas set and then, it's not an issue anymore? > > There are several possibilities: > - add a test similar to the one in src/Makefile, e.g., not run > sudo if you're root already (relatively complicated for no obvious benefit) > > - try to remove the files normally first > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > ${SUDO_CLEAN} > > this should actually fix the issue. > > Any other directory with that problem ? that fix the issue and the build continues fine
Re: make build as root fails when SUDO=doas
On Tue, Dec 11, 2018 at 06:50:07PM +0100, Solene Rapenne wrote: > Marc Espie wrote: > > On Mon, Dec 10, 2018 at 01:33:49PM +0100, Solene Rapenne wrote: > > > hi > > > > > > I have SUDO=doas in /etc/mk.conf for ports, this is preventing a `make > > > build` > > > in /usr/src as root if /etc/doas.conf doesn't have a line "permit nopass > > > root > > > as root". This fails when using "doas" in regress/usr/bin/ssh/ > > > > > > doas: Operation not permitted > > > *** Error 1 in regress/usr.bin/ssh (Makefile:212 'clean') > > > *** Error 1 in regress/usr.bin (:48 'cleandir') > > > *** Error 1 in regress (:48 'cleandir') > > > *** Error 1 in . (:48 'cleandir') > > > *** Error 1 in . (Makefile:86 'do-build') > > > *** Error 1 in /usr/src (Makefile:74 'build') > > > > > > > > > the issue comes from the 3rd line of that extract from Makefile:212 > > > > > > clean: ${CLEAN_SUBDIR} > > > rm -f ${CLEANFILES} > > > test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > > > rm -rf .putty > > > > > > Not sure how to fix it. Maybe people shouldn't try to compile as root when > > > having SUDO=doas set and then, it's not an issue anymore? > > > > There are several possibilities: > > - add a test similar to the one in src/Makefile, e.g., not run > > sudo if you're root already (relatively complicated for no obvious benefit) > > > > - try to remove the files normally first > > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > > ${SUDO_CLEAN} > > > > this should actually fix the issue. > > > > Any other directory with that problem ? > > that fix the issue and the build continues fine So okay from source people ? tedu, guenther, theo, krw ? somebody else ?
Re: make build as root fails when SUDO=doas
Marc Espie wrote: > > > - try to remove the files normally first > > > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > > > ${SUDO_CLEAN} > > > > > > this should actually fix the issue. > > > > > > Any other directory with that problem ? > > > > that fix the issue and the build continues fine > > So okay from source people ? tedu, guenther, theo, krw ? somebody else ? does anywhere else in the tree do this? aren't most (all) things either done as root or not done as root?
Re: make build as root fails when SUDO=doas
Ted Unangst wrote: > Marc Espie wrote: > > > > - try to remove the files normally first > > > > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > > > > ${SUDO_CLEAN} > > > > > > > > this should actually fix the issue. > > > > > > > > Any other directory with that problem ? > > > > > > that fix the issue and the build continues fine > > > > So okay from source people ? tedu, guenther, theo, krw ? somebody else ? > > does anywhere else in the tree do this? aren't most (all) things either done > as root or not done as root? I also don't understand what the point is here. release(9) shows the correct build process. you start build as root, to permit the priv-drop security model we designed in 2017. If on the other hand you build from a regular user below, with doas configured to allow escalation at any point in time, the regular user below CAN ALWAYS BECOME ROOT SO YOU HAVE NO SECURITY MODEL IN MIND AT ALL, while you operate on Makefile and such you downloaded from elsewhere Such use of sudo/doas is an ANTI-PATTERN
Re: make build as root fails when SUDO=doas
On Tue, Dec 11, 2018 at 02:35:33PM -0700, Theo de Raadt wrote: > Ted Unangst wrote: > > > Marc Espie wrote: > > > > > - try to remove the files normally first > > > > > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > > > > > ${SUDO_CLEAN} > > > > > > > > > > this should actually fix the issue. > > > > > > > > > > Any other directory with that problem ? > > > > > > > > that fix the issue and the build continues fine > > > > > > So okay from source people ? tedu, guenther, theo, krw ? somebody else ? > > > > does anywhere else in the tree do this? aren't most (all) things either done > > as root or not done as root? > > I also don't understand what the point is here. > > release(9) shows the correct build process. > > you start build as root, to permit the priv-drop security model we > designed in 2017. > > If on the other hand you build from a regular user below, with doas > configured to allow escalation at any point in time, the regular user > below CAN ALWAYS BECOME ROOT SO YOU HAVE NO SECURITY MODEL IN MIND AT > ALL, while you operate on Makefile and such you downloaded from elsewhere > > Such use of sudo/doas is an ANTI-PATTERN I think the main issue is that /usr/sr/regress was not moved to the priv-drop security model. There is bunch of code which needs root but I don't want to run all of regress as user root. -- :wq Claudio
Re: make build as root fails when SUDO=doas
Claudio Jeker wrote: > I think the main issue is that /usr/sr/regress was not moved to the > priv-drop security model. There is bunch of code which needs root but I > don't want to run all of regress as user root. regress is very special
Re: make build as root fails when SUDO=doas
On Tue, Dec 11, 2018 at 02:35:33PM -0700, Theo de Raadt wrote: > Ted Unangst wrote: > > > Marc Espie wrote: > > > > > - try to remove the files normally first > > > > > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > > > > > ${SUDO_CLEAN} > > > > > > > > > > this should actually fix the issue. > > > > > > > > > > Any other directory with that problem ? > > > > > > > > that fix the issue and the build continues fine > > > > > > So okay from source people ? tedu, guenther, theo, krw ? somebody else ? > > > > does anywhere else in the tree do this? aren't most (all) things either done > > as root or not done as root? > > I also don't understand what the point is here. > > release(9) shows the correct build process. > > you start build as root, to permit the priv-drop security model we > designed in 2017. > > If on the other hand you build from a regular user below, with doas > configured to allow escalation at any point in time, the regular user > below CAN ALWAYS BECOME ROOT SO YOU HAVE NO SECURITY MODEL IN MIND AT > ALL, while you operate on Makefile and such you downloaded from elsewhere > > Such use of sudo/doas is an ANTI-PATTERN Ah, so actually just rm -f ${SUDO_CLEAN} should be fine ?
Re: make build as root fails when SUDO=doas
On Tue, Dec 11, 2018 at 10:55:25PM +0100, Claudio Jeker wrote: > On Tue, Dec 11, 2018 at 02:35:33PM -0700, Theo de Raadt wrote: > > Ted Unangst wrote: > > > > > Marc Espie wrote: > > > > > > - try to remove the files normally first > > > > > > rm -f ${SUDO_CLEAN} || test -z "${SUDO}" || ${SUDO} rm -f > > > > > > ${SUDO_CLEAN} > > > > > > > > > > > > this should actually fix the issue. > > > > > > > > > > > > Any other directory with that problem ? > > > > > > > > > > that fix the issue and the build continues fine > > > > > > > > So okay from source people ? tedu, guenther, theo, krw ? somebody else ? > > > > > > does anywhere else in the tree do this? aren't most (all) things either > > > done > > > as root or not done as root? > > > > I also don't understand what the point is here. > > > > release(9) shows the correct build process. > > > > you start build as root, to permit the priv-drop security model we > > designed in 2017. > > > > If on the other hand you build from a regular user below, with doas > > configured to allow escalation at any point in time, the regular user > > below CAN ALWAYS BECOME ROOT SO YOU HAVE NO SECURITY MODEL IN MIND AT > > ALL, while you operate on Makefile and such you downloaded from elsewhere > > > > Such use of sudo/doas is an ANTI-PATTERN > > I think the main issue is that /usr/sr/regress was not moved to the > priv-drop security model. There is bunch of code which needs root but I > don't want to run all of regress as user root. There is a kind of mixed model there. Because make build still goes thru regress for obj and cleandir Yet the rest of the build doesn't! So, if we agree that it needs to stay the way it currently is, then the SUDO in that Makefile might trigger while running as root... ... or we could change all the ports tree and rename SUDO to something else in there so that it doesn't interfere at all. But I see most porters not too happy with that choice. As Mr Morden would say "what do you want ?"...
Re: make build as root fails when SUDO=doas
Marc Espie wrote: > There is a kind of mixed model there. > > Because make build still goes thru regress for obj and cleandir > > Yet the rest of the build doesn't! > > So, if we agree that it needs to stay the way it currently is, then > the SUDO in that Makefile might trigger while running as root... > > ... or we could change all the ports tree and rename SUDO to something > else in there so that it doesn't interfere at all. But I see most porters > not too happy with that choice. > > As Mr Morden would say "what do you want ?"... I would say the regress test should try to avoid creating files that can only be deleted by root. I can't actually find where anything sets SUDO_CLEAN. Is this whole fuss over an rm -f with no arguments?
Re: make build as root fails when SUDO=doas
On Tue, Dec 11, 2018 at 11:00:30PM +0100, Marc Espie wrote: > Ah, so actually just > rm -f ${SUDO_CLEAN} > > should be fine ? Regress jumps from root to non-root in a very inconsistent way. It could be improved, but that would be a lot of work. The result will not be perfect as tests have very different needs for permissions. So I would recommend to leave it as it is unless someone volunteers to refactor all the tests. If a test creates a file as root with an ugly ${SUDO} hack, it should use the same hack to clean it. Then the test is self contained. Care should be taken that the make clean hack does not affect the make build. So I like espie@'s suggestion to try rm first without ${SUDO} for people running make build, and then with ${SUDO} for people who have left overs from testing. bluhm
Re: make build as root fails when SUDO=doas
On Wed, Dec 12, 2018 at 11:12:17AM +0100, Alexander Bluhm wrote: > On Tue, Dec 11, 2018 at 11:00:30PM +0100, Marc Espie wrote: > > Ah, so actually just > > rm -f ${SUDO_CLEAN} > > > > should be fine ? > > Regress jumps from root to non-root in a very inconsistent way. It > could be improved, but that would be a lot of work. The result > will not be perfect as tests have very different needs for permissions. > So I would recommend to leave it as it is unless someone volunteers > to refactor all the tests. > > If a test creates a file as root with an ugly ${SUDO} hack, it > should use the same hack to clean it. Then the test is self > contained. Care should be taken that the make clean hack does not > affect the make build. > > So I like espie@'s suggestion to try rm first without ${SUDO} for > people running make build, and then with ${SUDO} for people who > have left overs from testing. > > bluhm Well, apart from the bike-shedding, it seems like the most correct short-term solution. So I will commit it tomorrow, unless someone has an actual better idea.
Re: make build as root fails when SUDO=doas
Marc Espie wrote: > Well, apart from the bike-shedding, it seems like the most correct > short-term solution. > > So I will commit it tomorrow, unless someone has an actual better idea. Nobody answered if SUDO_CLEAN is actualy set. I checked. It's not. Index: Makefile === RCS file: /cvs/src/regress/usr.bin/ssh/Makefile,v retrieving revision 1.98 diff -u -p -r1.98 Makefile --- Makefile22 Nov 2018 08:48:32 - 1.98 +++ Makefile14 Dec 2018 20:56:11 - @@ -209,7 +209,6 @@ c-${s}: clean: ${CLEAN_SUBDIR} rm -f ${CLEANFILES} - test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} rm -rf .putty .include
Re: make build as root fails when SUDO=doas
On Fri, Dec 14, 2018 at 03:57:12PM -0500, Ted Unangst wrote: > Marc Espie wrote: > > Well, apart from the bike-shedding, it seems like the most correct > > short-term solution. > > > > So I will commit it tomorrow, unless someone has an actual better idea. > > Nobody answered if SUDO_CLEAN is actualy set. I checked. It's not. > > Index: Makefile > === > RCS file: /cvs/src/regress/usr.bin/ssh/Makefile,v > retrieving revision 1.98 > diff -u -p -r1.98 Makefile > --- Makefile 22 Nov 2018 08:48:32 - 1.98 > +++ Makefile 14 Dec 2018 20:56:11 - > @@ -209,7 +209,6 @@ c-${s}: > > clean: ${CLEAN_SUBDIR} > rm -f ${CLEANFILES} > - test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} > rm -rf .putty > > .include Oh, I had a slightly older version. So, yep, it was just dtucker@ half-committing some clean-up. Okay to finish fixing it. :)