From owner-freebsd-questions@FreeBSD.ORG Fri Jul 22 09:41:38 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDA7F1065675 for ; Fri, 22 Jul 2011 09:41:38 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 8039B8FC17 for ; Fri, 22 Jul 2011 09:41:38 +0000 (UTC) Received: from r55.edvax.de (port-92-195-103-124.dynamic.qsc.de [92.195.103.124]) by mx01.qsc.de (Postfix) with ESMTP id 597523D0A0; Fri, 22 Jul 2011 11:41:37 +0200 (CEST) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id p6M9faYo001804; Fri, 22 Jul 2011 11:41:36 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Fri, 22 Jul 2011 11:41:36 +0200 From: Polytropon To: Mike Clarke Message-Id: <20110722114136.a5824844.freebsd@edvax.de> In-Reply-To: <201107220959.29577.jmc-freebsd2@milibyte.co.uk> References: <20110721100259.GA5326@external.screwed.box> <4E28543A.5020307@my.gd> <20110721174558.GE7553@external.screwed.box> <201107220959.29577.jmc-freebsd2@milibyte.co.uk> Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: build ports from not a root user? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 09:41:38 -0000 On Fri, 22 Jul 2011 09:59:29 +0100, Mike Clarke wrote: > On Thursday 21 July 2011, Peter Vereshagin wrote: >=20 > > As long as I saw the instructions on building from source they wre > > generally all like this: > > > > =A0 =A0 $ cd /tarball-expanded-0.x.y > > =A0 =A0 $ ./configure > > =A0 =A0 $ make > > =A0 =A0 $ su - > > =A0 =A0 # cd /tarball-expanded-0.x.y > > =A0 =A0 # make install > > > > That important 'su -' is omitted from the ports. And it is about the > > security. >=20 > But this requires /usr/ports to be writable by the non-root user and=20 > creates a security risk. This cannot be overcome by limiting the=20 > installation to root only because you can no longer be sure that the=20 > source or installation scripts have not been tampered with by a=20 > non-privileged user. You could define specific port BUILDING directories outside /usr/ports, e. g. on a sufficiently sized and permitted /build partition that the non-root user can write to. However, this does _not_ solve the "problem" that root privileges are required to access INSTALL directories for the dependencies as well as for the final port you want to install. A "temporary pre-installation" doesn't sound possible, even if you define a different $PREFIX to make a per-one-user-localized installation. This seems to be obvious in regards of binaries that are required in further steps of building and installation, but even _more_ obvious in regards of libraries that the system linker has to be "notified" of. Giving /usr/ports _to_ the user (chown) or making a local copy of it (and adjusting the environmental variables for port infrastructure accordingly) does solve the first problem, but definitely not the second. (As it has been mentioned, doing this with /usr/src is a bit easier, where write access is especially needed for the /usr/obj "result" subtree. Only the installation of kernel and world need root access.) In the examples discussed regarding su, I often see: # cd /some/di/rec/to/ry # make something # su - # cd /some/di/rec/to/ry <=3D=3D=3D Again! # make something else # exit The key is that "su -" may change the current directory as it does a full login. See "man su", especially the -m option which will leave the environment intact. Also see what su without parameters (or "su root") will do in comparison. --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...