Date: Fri, 22 Jul 2011 11:41:36 +0200 From: Polytropon <freebsd@edvax.de> To: Mike Clarke <jmc-freebsd2@milibyte.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: build ports from not a root user? Message-ID: <20110722114136.a5824844.freebsd@edvax.de> In-Reply-To: <201107220959.29577.jmc-freebsd2@milibyte.co.uk> References: <20110721100259.GA5326@external.screwed.box> <4E28543A.5020307@my.gd> <20110721174558.GE7553@external.screwed.box> <201107220959.29577.jmc-freebsd2@milibyte.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 22 Jul 2011 09:59:29 +0100, Mike Clarke wrote: > On Thursday 21 July 2011, Peter Vereshagin wrote: >=20 > > As long as I saw the instructions on building from source they wre > > generally all like this: > > > > =A0 =A0 $ cd /tarball-expanded-0.x.y > > =A0 =A0 $ ./configure > > =A0 =A0 $ make > > =A0 =A0 $ su - > > =A0 =A0 # cd /tarball-expanded-0.x.y > > =A0 =A0 # make install > > > > That important 'su -' is omitted from the ports. And it is about the > > security. >=20 > But this requires /usr/ports to be writable by the non-root user and=20 > creates a security risk. This cannot be overcome by limiting the=20 > installation to root only because you can no longer be sure that the=20 > source or installation scripts have not been tampered with by a=20 > non-privileged user. You could define specific port BUILDING directories outside /usr/ports, e. g. on a sufficiently sized and permitted /build partition that the non-root user can write to. However, this does _not_ solve the "problem" that root privileges are required to access INSTALL directories for the dependencies as well as for the final port you want to install. A "temporary pre-installation" doesn't sound possible, even if you define a different $PREFIX to make a per-one-user-localized installation. This seems to be obvious in regards of binaries that are required in further steps of building and installation, but even _more_ obvious in regards of libraries that the system linker has to be "notified" of. Giving /usr/ports _to_ the user (chown) or making a local copy of it (and adjusting the environmental variables for port infrastructure accordingly) does solve the first problem, but definitely not the second. (As it has been mentioned, doing this with /usr/src is a bit easier, where write access is especially needed for the /usr/obj "result" subtree. Only the installation of kernel and world need root access.) In the examples discussed regarding su, I often see: # cd /some/di/rec/to/ry # make something # su - # cd /some/di/rec/to/ry <=3D=3D=3D Again! # make something else # exit The key is that "su -" may change the current directory as it does a full login. See "man su", especially the -m option which will leave the environment intact. Also see what su without parameters (or "su root") will do in comparison. --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110722114136.a5824844.freebsd>