Secure PKG_PATH for doas

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure PKG_PATH for doas

Igor Mironov
The packages and ports' FAQ mentions that those using doas need to pass keepenv { PKG_PATH } in the config file. Is there a way to instruct doas to take PKG_PATH (or another variable) from the target account's environment (~/.profile)?

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Stuart Henderson
On 2016-05-18, Igor Mironov <[hidden email]> wrote:
> The packages and ports' FAQ mentions that those using doas need to pass keepenv { PKG_PATH } in the config file. Is there a way to instruct doas to take PKG_PATH (or another variable) from the target account's environment (~/.profile)?

Not unless you let the target account run a shell.

The simplest way is probably to avoid using PKG_PATH (don't
set it in keepenv) and put the path in /etc/pkg.conf instead.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Ted Unangst-6
In reply to this post by Igor Mironov
Igor Mironov wrote:
> The packages and ports' FAQ mentions that those using doas need to pass keepenv { PKG_PATH } in the config file. Is there a way to instruct doas to take PKG_PATH (or another variable) from the target account's environment (~/.profile)?

No, but you can easily write a shell wrapper that sets things up and calls
pkg_add.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Mart Tõnso
There is an alternative to PKG_PATH env var:

http://man.openbsd.org/OpenBSD-current/man5/pkg.conf.5

echo "installpath = http://your.favorite.mirror/" > /etc/pkg.conf

.. and enjoy!

Mart


On Thu, May 19, 2016 at 4:32 AM, Ted Unangst <[hidden email]> wrote:
> Igor Mironov wrote:
>> The packages and ports' FAQ mentions that those using doas need to pass keepenv { PKG_PATH } in the config file. Is there a way to instruct doas to take PKG_PATH (or another variable) from the target account's environment (~/.profile)?
>
> No, but you can easily write a shell wrapper that sets things up and calls
> pkg_add.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Mihai Popescu-3
In reply to this post by Igor Mironov
> echo "installpath = http://your.favorite.mirror/" > /etc/pkg.conf

> .. and enjoy!

Error from http://your.favorite.mirror/
ftp: your.favorite.mirror: no address associated with name
http://your.favorite.mirror/ is empty

:-)

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Mart Tõnso
Do feel free to select from the list of actual mirrors:
http://www.openbsd.org/ftp.html

Mart

On Thu, May 19, 2016 at 10:02 PM, Mihai Popescu <[hidden email]> wrote:
>> echo "installpath = http://your.favorite.mirror/" > /etc/pkg.conf
>
>> .. and enjoy!
>
> Error from http://your.favorite.mirror/
> ftp: your.favorite.mirror: no address associated with name
> http://your.favorite.mirror/ is empty
>
> :-)

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Stuart Henderson
On 2016-05-19, Mart Tõnso <[hidden email]> wrote:
> Do feel free to select from the list of actual mirrors:
> http://www.openbsd.org/ftp.html

Or in /etc/examples/pkg.conf.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

lists-2
Fri, 20 May 2016 00:18:47 +0000 (UTC) Stuart Henderson
<[hidden email]>
> On 2016-05-19, Mart Tõnso <[hidden email]> wrote:
> > Do feel free to select from the list of actual mirrors:
> > http://www.openbsd.org/ftp.html
>
> Or in /etc/examples/pkg.conf.

Which reminds the installer already picks the nearest mirror, an idea to
set it in /etc/pkg.conf at install time, and leave PKG_PATH for the user.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

lists-2
Fri, 20 May 2016 08:46:47 +0300 [hidden email]

> Fri, 20 May 2016 00:18:47 +0000 (UTC) Stuart Henderson
> <[hidden email]>
> > On 2016-05-19, Mart Tõnso <[hidden email]> wrote:
> > > Do feel free to select from the list of actual mirrors:
> > > http://www.openbsd.org/ftp.html
> >
> > Or in /etc/examples/pkg.conf.
>
> Which reminds the installer already picks the nearest mirror, an idea to
> set it in /etc/pkg.conf at install time, and leave PKG_PATH for the user.

[http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/distrib/miniroot/ins
tall.sub]

2259         # Create or update pkg.conf with the new package path, if any.

Appears this idea has already been realised, should have checked upfront ;)

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Igor Mironov
In reply to this post by Mart Tõnso
Thank you Mart, Ted and Stuart--I understood that installpath in pkg.conf
provides a secure default, and PKG_PATH should probably be used for overrides
only (if at all).



On Friday, 20 May 2016, 3:41, Mart Tõnso <[hidden email]> wrote:



There is an alternative to PKG_PATH env var:

http://man.openbsd.org/OpenBSD-current/man5/pkg.conf.5

echo "installpath = http://your.favorite.mirror/" > /etc/pkg.conf

.. and enjoy!

Mart



On Thu, May 19, 2016 at 4:32 AM, Ted Unangst <[hidden email]> wrote:
> Igor Mironov wrote:
>> The packages and ports' FAQ mentions that those using doas need to pass
keepenv { PKG_PATH } in the config file. Is there a way to instruct doas to
take PKG_PATH (or another variable) from the target account's environment
(~/.profile)?
>
> No, but you can easily write a shell wrapper that sets things up and calls
> pkg_add.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Raf Czlonka-2
On Fri, May 20, 2016 at 12:39:46PM BST, Igor Mironov wrote:

> Thank you Mart, Ted and Stuart--I understood that installpath in
> pkg.conf provides a secure default, and PKG_PATH should probably
> be used for overrides only (if at all).

Hi Igor,

PKG_PATH is essential - installpath= in pkg.conf(5) won't suffice
- if you don't want to build ports' dependencies and prefer to
simply have them install as packages, by using:

        FETCH_PACKAGES=Yes

in mk.conf(5).

Regards,

Raf

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Marc Espie-2
On Fri, May 20, 2016 at 03:37:48PM +0100, Raf Czlonka wrote:

> On Fri, May 20, 2016 at 12:39:46PM BST, Igor Mironov wrote:
>
> > Thank you Mart, Ted and Stuart--I understood that installpath in
> > pkg.conf provides a secure default, and PKG_PATH should probably
> > be used for overrides only (if at all).
>
> Hi Igor,
>
> PKG_PATH is essential - installpath= in pkg.conf(5) won't suffice
> - if you don't want to build ports' dependencies and prefer to
> simply have them install as packages, by using:
>
> FETCH_PACKAGES=Yes
>
> in mk.conf(5).
>
> Regards,
>
> Raf

But that one completely does not require doas since it's run in -n mode.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Raf Czlonka-2
On Sat, May 21, 2016 at 08:55:37AM BST, Marc Espie wrote:

> On Fri, May 20, 2016 at 03:37:48PM +0100, Raf Czlonka wrote:
> > On Fri, May 20, 2016 at 12:39:46PM BST, Igor Mironov wrote:
> >
> > > Thank you Mart, Ted and Stuart--I understood that installpath in
> > > pkg.conf provides a secure default, and PKG_PATH should probably
> > > be used for overrides only (if at all).
> >
> > Hi Igor,
> >
> > PKG_PATH is essential - installpath= in pkg.conf(5) won't suffice
> > - if you don't want to build ports' dependencies and prefer to
> > simply have them install as packages, by using:
> >
> > FETCH_PACKAGES=Yes
> >
> > in mk.conf(5).
> >
> > Regards,
> >
> > Raf
>
> But that one completely does not require doas since it's run in -n mode.

Sure, me reply was to the "if at all" part and I was merely pointing
out that 'installpath' doesn't work everywhere and sometimes one must
set PKG_PATH.

Raf

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

lists-2
Sat, 21 May 2016 12:34:58 +0100 Raf Czlonka <[hidden email]>

> On Sat, May 21, 2016 at 08:55:37AM BST, Marc Espie wrote:
> > On Fri, May 20, 2016 at 03:37:48PM +0100, Raf Czlonka wrote:  
> > > On Fri, May 20, 2016 at 12:39:46PM BST, Igor Mironov wrote:
> > >  
> > > > Thank you Mart, Ted and Stuart--I understood that installpath in
> > > > pkg.conf provides a secure default, and PKG_PATH should probably
> > > > be used for overrides only (if at all).  
> > >
> > > PKG_PATH is essential - installpath= in pkg.conf(5) won't suffice
> > > - if you don't want to build ports' dependencies and prefer to
> > > simply have them install as packages, by using:
> > >
> > > FETCH_PACKAGES=Yes
> > >
> > > in mk.conf(5).
> >
> > But that one completely does not require doas since it's run in -n mode.  
>
> Sure, me reply was to the "if at all" part and I was merely pointing
> out that 'installpath' doesn't work everywhere and sometimes one must
> set PKG_PATH.

A suggestion would be to add /etc/mymirror plus related dangling block
accessories.  It would not work yet without tool propagation to honour
this file.  Who knows, it may never work, if this idea is quite silly.

Reply | Threaded
Open this post in threaded view
|

Re: Secure PKG_PATH for doas

Alexander Hall
In reply to this post by Igor Mironov
On May 19, 2016 12:49:25 AM GMT+02:00, Igor Mironov <[hidden email]> wrote:
>The packages and ports' FAQ mentions that those using doas need to pass
>keepenv { PKG_PATH } in the config file. Is there a way to instruct
>doas to take PKG_PATH (or another variable) from the target account's
>environment (~/.profile)?

As pointed out, $PKG_PATH might not be the solution, but

$ doas env PKG_PATH="$PKG_PATH" pkg_add ...

Would work for you, unless you want to restrict doas to a certain command. Not that it matters much if you'd allow any custom PKG_PATH anyway.

/Alexander


/Alexander