fetch extension - use local filename from content-disposition header

Eygene A. Ryabinkin freebsd at rea.mbslab.kiae.ru
Fri Dec 30 01:15:50 PST 2005

 A bit offtopic, but...

> However, when I mentioned this on -security in a thread
> (about trusting trust) all I got back was that it was difficult to make
> sure that all ports build as normal user. Which of course does not explain
> fetching as root at all, but hey.
 OK, actually you can fetch as non-root: just make /usr/ports/distfiles
writeable to the user (or group) that should be able to fetch the
packages. The same holds for the source compilation: give the write
permissions to the port's directory. 'make  install' switches to the root
account via 'su', so you can just issue 'make install' and the build
scripts will do the trick. The price is also known: you'll need to supply
the root password for each package. And this will cause the major pain to
the portupgrade users -- it is not so easy to teach portupgrade to do its
job from the non-root account. It can be done, but you'll still need to
supply root password for every package at least two times.

 In principle, portupgrade and make scripts can be rearranged to be started
as root, but to drop the privileges for the fetching and building via the
creation of child and the setuid() call (su will help). Was such feature
already discuissed and is it desirable?

BOFH excuse #121:
halon system went off and killed the operators

More information about the freebsd-current mailing list