problems setting up PORTS_PRIVSEP

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

problems setting up PORTS_PRIVSEP

Moises Simon
Hi misc,

I'm trying to set the ports system to use PORT_PRIVSEP
according to bsd.port.mk(5) and
https://www.openbsd.org/faq/ports/ports.html#PortsConfig

but I'm getting the following error:

sirius$ make fetch
mkdir /usr/obj/ports: Permission denied at
/usr/ports/infrastructure/bin/portlock line 53.  *** Error 255 in
/usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...

even after doing make fix-permissions. I'm not seens something.

cat /etc/mk.conf
SUDO=doas
CLEANDEPENDS=Yes
PORTS_PRIVSEP=Yes
WRKOBJDIR=/usr/obj/ports
DISTDIR=/usr/ports/distfiles
PACKAGE_REPOSITORY=/usr/ports/packages

cat /etc/doas.conf
permit nopass msv cmd touch
permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add
permit nopass setenv { TERM } msv cmd pkg_delete

permit keepenv nopass msv as _pbuild
permit keepenv nopass msv as _pfetch

permit msv as root

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Stuart Henderson
On 2020-03-25, Moises Simon <[hidden email]> wrote:

> Hi misc,
>
> I'm trying to set the ports system to use PORT_PRIVSEP
> according to bsd.port.mk(5) and
> https://www.openbsd.org/faq/ports/ports.html#PortsConfig
>
> but I'm getting the following error:
>
> sirius$ make fetch
> mkdir /usr/obj/ports: Permission denied at
> /usr/ports/infrastructure/bin/portlock line 53.  *** Error 255 in
> /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
> 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...

Does _pbuild have write access to /usr/obj? If not, either grant it,
or create /usr/obj/ports yourself and grant _pbuild write access to
that.

> even after doing make fix-permissions. I'm not seens something.
>
> cat /etc/mk.conf
> SUDO=doas
> CLEANDEPENDS=Yes
> PORTS_PRIVSEP=Yes
> WRKOBJDIR=/usr/obj/ports
> DISTDIR=/usr/ports/distfiles
> PACKAGE_REPOSITORY=/usr/ports/packages
>
> cat /etc/doas.conf
> permit nopass msv cmd touch
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add

Allowing pkg_add with nopass opens a way for your account to get root
without a password.

Since doas "persist" doesn't allow password persistence with how ports
uses it, I use sudo not doas on ports dev machines. (I use doas on
ports build machines, but dpb manages running pkg_add in that case,
and is started as root so it only needs to drop privs rather than
raise them).


Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Ottavio Caruso
In reply to this post by Moises Simon
On Wed, 25 Mar 2020 at 11:19, Moises Simon <[hidden email]> wrote:

>
> Hi misc,
>
> I'm trying to set the ports system to use PORT_PRIVSEP
> according to bsd.port.mk(5) and
> https://www.openbsd.org/faq/ports/ports.html#PortsConfig
>
> but I'm getting the following error:
>
> sirius$ make fetch
> mkdir /usr/obj/ports: Permission denied at
> /usr/ports/infrastructure/bin/portlock line 53.  *** Error 255 in
> /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
> 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...
>
> even after doing make fix-permissions. I'm not seens something.
>
> cat /etc/mk.conf
> SUDO=doas
> CLEANDEPENDS=Yes
> PORTS_PRIVSEP=Yes
> WRKOBJDIR=/usr/obj/ports
> DISTDIR=/usr/ports/distfiles
> PACKAGE_REPOSITORY=/usr/ports/packages
>
> cat /etc/doas.conf
> permit nopass msv cmd touch
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add
> permit nopass setenv { TERM } msv cmd pkg_delete
>
> permit keepenv nopass msv as _pbuild
> permit keepenv nopass msv as _pfetch
>
> permit msv as root
>

Hi, have you given a look at this tutorial:
https://dataswamp.org/~solene/2020-01-11-privsep.html

--
Ottavio Caruso

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Moises Simon
In reply to this post by Stuart Henderson
On Thu, Mar 26, 2020 at 07:50:27AM -0000, Stuart Henderson wrote:
> Does _pbuild have write access to /usr/obj? If not, either grant it,
> or create /usr/obj/ports yourself and grant _pbuild write access to
> that.


this where the permissions:

drwxrwxr-x  4 build  wobj  512 Mar 25 11:03 /usr/obj

d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2

because that is for building base I have changed

WRKOBJDIR=/usr/ports/obj

drwxr-xr-x  3 _pbuild  _pbuild  512 Mar 26 10:12 /usr/ports/obj/

Now its working.

Thanks!

Now i'm getting this:

sirius$ make package
===>  Checking files for dmenu-4.9
>> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
dmenu-4.9.tar.gz 100% |*****************************************************************************************| 15972       00:00
>> (SHA256) dmenu-4.9.tar.gz: OK
===>  Verifying specs:  X11 Xft Xinerama c fontconfig
===>  found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
===>  Extracting for dmenu-4.9
make: don't know how to make do-extract
Stop in .
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641
'/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu &...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089
'/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd /usr/ports/mystuff/x11/dm...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578
'_internal-package': @case X${_DEPENDS_CACHE} in  X) _DEPENDS_CACHE=$(doas -...)
*** Error 2 in /usr/ports/mystuff/x11/dmenu
(/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9;
export _LOCKS_HELD="...)

in ports under /usr/ports/mystuff
I just:

mkdir /usr/ports/mystuff/x11
cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
cd /usr/ports/mystuff/x11/dmenu
make package

But it doesn't seems related to PORT_PRIVSEP, I have build wmutils
doing the same without problems

> Allowing pkg_add with nopass opens a way for your account to get root
> without a password.
>
> Since doas "persist" doesn't allow password persistence with how ports
> uses it, I use sudo not doas on ports dev machines. (I use doas on
> ports build machines, but dpb manages running pkg_add in that case,
> and is started as root so it only needs to drop privs rather than
> raise them).
>

So dpb for building just 3 or 4 ports is over-kill right?

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

putridsoul66
In reply to this post by Moises Simon
You only need to change permissions on the
/usr/obj

Run these as root
install -dm0775 -o _pbuild -g _pbuild /usr/obj
install -dm0775 -o _pbuild -g _pbuild /usr/obj/ports

Also the variables DISTDIR and PACKAGE_REPOSITORY
are redundant, since those are the default values
anyway.

In /etc/doas.conf, replace the three commands with
their complete paths. This will save a headache,
believe me.

Setting WRKOBJDIR is not really usefull, the default
location(/usr/ports/pobj) works fine, unless it's an
aesthetic issue, since it deals mostly with temporary
data

Only real use according to me, is to set /usr/ports
as read-only by pushing all work directories out of it.

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

putridsoul66
In reply to this post by Moises Simon
I don't understand the logic of this

mkdir /usr/ports/mystuff/x11
cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
cd /usr/ports/mystuff/x11/dmenu
make package

to build a package, one usually just runs command

cd /usr/ports/x11/dmenu
make install

try and see if this gives an error.

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Moises Simon
On Thu, Mar 26, 2020 at 06:04:19PM +0530, [hidden email] wrote:

> I don't understand the logic of this
>
> mkdir /usr/ports/mystuff/x11
> cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
> cd /usr/ports/mystuff/x11/dmenu
> make package
>
> to build a package, one usually just runs command
>
> cd /usr/ports/x11/dmenu
> make install
>
> try and see if this gives an error.
>

Yes, that works but I want to apply some private patches to the application.
Thats why I copye the port to /usr/ports/mystuff, to make local changes

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

putridsoul66
In reply to this post by Moises Simon
I didn't knew anything about the mystuff
directory. Anyway I tried it.

mkdir /usr/ports/mystuff
mkdir /usr/ports/mystuff/x11
cp -r /usr/ports/x11/dmenu /usr/ports/mystuff/x11/dmenu
chown -R user:wsrc /usr/ports/mystuff
cd /usr/ports/mystuff/x11/dmenu
make install

And it was successfull, so you should check the
file permissions in and of mystuff dir.

If build was successfull in /usr/ports/x11/dmenu, then
permission could be skewed in mystuff.("local user":"wsrc")
If no conflict in that, I think you could have messed up
your /usr/ports/x11/dmenu dir before copying it,
did you edit it?

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Moises Simon
In reply to this post by Moises Simon
On Thu, Mar 26, 2020 at 12:38:19PM +0100, Moises Simon wrote:

> On Thu, Mar 26, 2020 at 07:50:27AM -0000, Stuart Henderson wrote:
> > Does _pbuild have write access to /usr/obj? If not, either grant it,
> > or create /usr/obj/ports yourself and grant _pbuild write access to
> > that.
>
>
> this where the permissions:
>
> drwxrwxr-x  4 build  wobj  512 Mar 25 11:03 /usr/obj
>
> d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2
>
> because that is for building base I have changed
>
> WRKOBJDIR=/usr/ports/obj
>
> drwxr-xr-x  3 _pbuild  _pbuild  512 Mar 26 10:12 /usr/ports/obj/
>
> Now its working.
>
> Thanks!
>
> Now i'm getting this:
>
> sirius$ make package
> ===>  Checking files for dmenu-4.9
> >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
> dmenu-4.9.tar.gz 100% |*****************************************************************************************| 15972       00:00
> >> (SHA256) dmenu-4.9.tar.gz: OK
> ===>  Verifying specs:  X11 Xft Xinerama c fontconfig
> ===>  found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
> ===>  Extracting for dmenu-4.9
> make: don't know how to make do-extract
> Stop in .
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641
> '/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu &...)
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089
> '/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd /usr/ports/mystuff/x11/dm...)
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578
> '_internal-package': @case X${_DEPENDS_CACHE} in  X) _DEPENDS_CACHE=$(doas -...)
> *** Error 2 in /usr/ports/mystuff/x11/dmenu
> (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9;
> export _LOCKS_HELD="...)
>
> in ports under /usr/ports/mystuff
> I just:
>
> mkdir /usr/ports/mystuff/x11
> cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
> cd /usr/ports/mystuff/x11/dmenu
> make package
>

I'm having lots of problems with permissions under /usr/ports/, I have even
delete and fetch new cvs ports following:

https://www.openbsd.org/faq/faq5.html#wsrc

"Avoid running cvs(1) as root. The /usr/src directory (where your source will
typically go) is writable by the wsrc group by default, so add users that need
to use cvs(1) to that group. "

https://man.openbsd.org/bsd.port.mk#PORTS_PRIVSEP

"To work fully, this does require the ports tree to be world- readable, and
${WRKDIR} to be world-readable as well (update-patches and friends won't work
otherwise)."

doing

sirius# find /usr/ports/ -type f -exec chmod 644 {} \+
sirius# find /usr/ports/ -type d -exec chmod 755 {} \+

I get:

sirius$ make build
===>  Verifying specs:  X11 Xft Xinerama c fontconfig
===>  found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
===>  Checking files for dmenu-4.9
>> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
dmenu-4.9.tar.gz 100% |*****************************************************************************************| 15972       00:00
>> (SHA256) dmenu-4.9.tar.gz: OK
===>  Extracting for dmenu-4.9
make: getcwd: Permission denied
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2648 '/usr/ports/pobj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu ...)
*** Error 2 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2564 'build': @lock=dmenu-4.9;  export _LOCKS_HELD=" d...)

# Doas log showing some comands failed

sirius# tail /var/log/doas
Mar 30 12:35:27 sirius doas: msv ran command chmod a+rX /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command rm -rf /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/touch /usr/ports/pobj/dmenu-4.9/.buildwantlibs as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/perl /usr/ports/infrastructure/bin/portlock /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock x11/dmenu, as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command install -d /usr/ports/distfiles as _pfetch from (failed)
Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/ftp -V -m -C -o /usr/ports/distfiles/dmenu-4.9.tar.gz.part https://dl.suckless.org/tools/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles
Mar 30 12:35:27 sirius doas: msv ran command mv /usr/ports/distfiles/dmenu-4.9.tar.gz.part /usr/ports/distfiles/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles
Mar 30 12:35:27 sirius doas: msv ran command rm -f /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock as _pbuild from /usr/ports/distfiles
Mar 30 12:35:27 sirius doas: msv ran command make do-extract as _pbuild from (failed)
Mar 30 12:35:27 sirius doas: msv ran command rm -f /usr/ports/pobj/locks/dmenu-4.9.lock as _pbuild from (failed)
sirius#

# my full doas.conf as it can the one causing problems:

permit msv as root

permit keepenv msv as root cmd cabal

permit nopass msv as root cmd shutdown

permit msv as root cmd pkg_check
permit msv as root cmd sysupgrade

permit keepenv msv as root cmd mount
permit keepenv msv as root cmd simple-mtpfs
permit keepenv msv as root cmd ntfs-3g

permit nopass keepenv msv as root cmd umount

permit nopass msv as root cmd sh args /etc/netstart
permit nopass msv as root cmd sh args /etc/netstart em0
permit nopass msv as root cmd sh args /etc/netstart iwn0
permit nopass msv as root cmd sh args /etc/netstart trunk0
permit nopass msv as root cmd zzz
permit nopass msv as root cmd ZZZ

permit nopass msv as root cmd nice
permit nopass msv as root cmd renice

permit nopass msv cmd /usr/bin/touch
permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd /usr/sbin/pkg_add
permit nopass setenv { TERM } msv cmd /usr/sbin/pkg_delete

permit keepenv nopass msv as _pbuild
permit keepenv nopass msv as _pfetch

permit nopass setenv { DISPLAY DBUS_SESSION_BUS_ADDRESS } root as msv cmd /usr/local/bin/notify-send
permit nopass root as _cron
permit nopass _cron as root cmd rcctl args reload unwind

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Moises Simon
On Mon, Mar 30, 2020 at 01:22:03PM +0200, Moises Simon wrote:

> sirius$ make build
> ===>  Verifying specs:  X11 Xft Xinerama c fontconfig
> ===>  found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
> ===>  Checking files for dmenu-4.9
> >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
> dmenu-4.9.tar.gz 100% |*****************************************************************************************| 15972       00:00
> >> (SHA256) dmenu-4.9.tar.gz: OK
> ===>  Extracting for dmenu-4.9
> make: getcwd: Permission denied
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2648 '/usr/ports/pobj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu ...)
> *** Error 2 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2564 'build': @lock=dmenu-4.9;  export _LOCKS_HELD=" d...)
>
> # Doas log showing some comands failed
>
> sirius# tail /var/log/doas
> Mar 30 12:35:27 sirius doas: msv ran command chmod a+rX /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed)
> Mar 30 12:35:27 sirius doas: msv ran command rm -rf /tmp/dep_cache.6pG4FlqDv as _pbuild from (failed)
> Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/touch /usr/ports/pobj/dmenu-4.9/.buildwantlibs as _pbuild from (failed)
> Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/perl /usr/ports/infrastructure/bin/portlock /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock x11/dmenu, as _pbuild from (failed)
> Mar 30 12:35:27 sirius doas: msv ran command install -d /usr/ports/distfiles as _pfetch from (failed)
> Mar 30 12:35:27 sirius doas: msv ran command /usr/bin/ftp -V -m -C -o /usr/ports/distfiles/dmenu-4.9.tar.gz.part https://dl.suckless.org/tools/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles
> Mar 30 12:35:27 sirius doas: msv ran command mv /usr/ports/distfiles/dmenu-4.9.tar.gz.part /usr/ports/distfiles/dmenu-4.9.tar.gz as _pfetch from /usr/ports/distfiles
> Mar 30 12:35:27 sirius doas: msv ran command rm -f /usr/ports/pobj/locks/dmenu-4.9.tar.gz.dist.lock as _pbuild from /usr/ports/distfiles
> Mar 30 12:35:27 sirius doas: msv ran command make do-extract as _pbuild from (failed)
> Mar 30 12:35:27 sirius doas: msv ran command rm -f /usr/ports/pobj/locks/dmenu-4.9.lock as _pbuild from (failed)
> sirius#
>

After more test the problem wan on my umask 027.
/usr/ports/mystuff/x11 whas 750 and that was causing problems for ports under
mystuff but not on /usr/ports

Reply | Threaded
Open this post in threaded view
|

Re: problems setting up PORTS_PRIVSEP

Stuart Henderson
In reply to this post by Moises Simon
On 2020-03-30, Moises Simon <[hidden email]> wrote:
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd /usr/sbin/pkg_add

pkg_add can run any command, so if you permit pkg_add without a
password, you might as well not require a password for anything.