From owner-freebsd-questions Sun Jul 2 12:20: 7 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom2-188.telepath.com [216.14.2.188]) by hub.freebsd.org (Postfix) with SMTP id 612F637B685 for ; Sun, 2 Jul 2000 12:20:03 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 22292 invoked by uid 100); 2 Jul 2000 19:19:25 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14687.38333.574810.752211@guru.mired.org> Date: Sun, 2 Jul 2000 14:19:25 -0500 (CDT) To: Bill Barnes Cc: questions@FreeBSD.ORG Subject: Re: Ports via FTP In-Reply-To: References: X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > From: Bill Barnes > I'm doing my first one of the above and it bothers me that I am online as > root. Well, you don't say how you're going online, but most for the methods I'm familiar with, being root isn't any worse for security than anything else. The critical thing isn't which ID copies the packets across the network, it's what happens to them after they get to your machine. I use userland ppp, and filter things so that only inbound things I trust can get through. > There must be a way around this, but how can non-root write to /usr. Letting non-root write to /usr is a lot worse for security than going online as root. There are a number of alternatives that don't involve doing that. The easist thing would be to chown the entire ports tree to be owned by the userid you want to do the build. Then do "make" as that person, and "make install" as root. There are some ports that will *require* you to do the "make install" as root, as the install process does things that only root should be allowed to do (creating users and setting the ownership of installed files comes to mind). Along the same lines, you could set DISTDIR & WRKDIRPREFIX in /etc/make.conf to be things you can write on as non-root. That should do the fetch and build as you. You could also just set DISTDIR, and do "make fetch". You can then do "make install" as root, though this may force you to build the dependent ports by hand. You can also replace setting DISTDIR with making the default distdir (should be /usr/ports/distdir) a symlink to some place you can write to.