ports/163059: Portbuild: Drop privileges for extract/patch/build phases

Chris Rees crees at physics.org
Sun Dec 4 14:20:09 UTC 2011

>Number:         163059
>Category:       ports
>Synopsis:       Portbuild: Drop privileges for extract/patch/build phases
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 04 14:20:08 UTC 2011
>Originator:     Chris Rees
>Release:        FreeBSD 8.2-STABLE i386
System: FreeBSD freefall.freebsd.org 8.2-STABLE FreeBSD 8.2-STABLE #5 r227907: Wed Nov 23 21:55:50 UTC 2011 simon at freefall.freebsd.org:/usr/obj/usr/src/sys/FREEFALL i386

	As discussed at [1] and with portmgr, here's a patch to portbuild to drop privileges for most stages except install.

	It's hardcoded, but since the rest of the file is too I don't see any way to get around this :)

	If I can get confirmation that this would be acceptable / perhaps even get a list of broken ports with it that'd be wonderful, (whenever!).  I'm aware one portmgr was interested, although I think right now he's unable to commit much time.

	[1] http://marcuscom.com/pipermail/tinderbox-list/2011-June/002161.html


--- portbuild-su-patch.diff begins here ---
Index: buildscript
--- buildscript	(revision 228258)
+++ buildscript	(working copy)
@@ -193,6 +193,9 @@
   echo "prefixes: LOCALBASE=${L}"
+  # Nobody isn't allowed to create WRKDIRPREFIX, so we do it for him
+  /usr/bin/install -d -o nobody -m755 /work
   # Stash a copy of /etc/master.passwd and /etc/group to detect whether someone modifies it
   cp /etc/master.passwd /etc/master.passwd-save
   cp /etc/group /etc/group-save
@@ -241,7 +244,8 @@
   add_pkg ${ED}
   cd $dir
-  /pnohang ${BUILD_TIMEOUT} /tmp/make.log2 ${pkgname} make extract || cleanup 2
+  su -m nobody -c "/pnohang ${BUILD_TIMEOUT} /tmp/make.log2 ${pkgname} \
+		   make extract" || cleanup 2
   cat /tmp/make.log2
   del_pkg ${ED}
@@ -254,7 +258,8 @@
   echo "====================<phase 3: make patch>===================="
   add_pkg ${PD}
   cd $dir
-  /pnohang ${BUILD_TIMEOUT} /tmp/make.log3 ${pkgname} make patch || cleanup 3
+  su -m nobody -c "/pnohang ${BUILD_TIMEOUT} /tmp/make.log3 ${pkgname} \
+		   make patch" || cleanup 3
   cat /tmp/make.log3
   del_pkg ${PD}
@@ -295,7 +300,8 @@
   cd $dir
-  /pnohang ${BUILD_TIMEOUT} /tmp/make.log4 ${pkgname} make build || cleanup 4
+  su -m nobody -c "/pnohang ${BUILD_TIMEOUT} /tmp/make.log4 ${pkgname} \
+		   make build" || cleanup 4
   cat /tmp/make.log4
   echo "================================================================"
--- portbuild-su-patch.diff ends here ---


More information about the freebsd-ports-bugs mailing list