On 2021/02/03 17:39, James Cook wrote: > Hi ports@, > > Summary: I suggest the section at > https://www.openbsd.org/faq/ports/ports.html#PortsConfig > should include some additional text like the following: > > You will need to configure doas to pass the TRUSTED_PKG_PATH variable > when running /usr/sbin/pkg_add. Adding the "nopass" option for > certain commands can help reduce the number of times a password needs > to be entered. For example, add the following to doas.conf(5), > replacing "myuser" with your username: > > permit nopass myuser cmd /usr/bin/touch > permit nopass setenv { TRUSTED_PKG_PATH TERM } myuser cmd > /usr/sbin/pkg_add > permit nopass setenv { TERM } myuser cmd /usr/sbin/pkg_delete
Let's not go down the 'try to evaluate every variable' path again, keepenv is the way to go, we have spent much time figuring out weird bugs from missing variables in the past when we have tried to evaluate them. If you are going to allow pkg_add with "nopass" you might just as well write "permit nopass myuser". An account which can run pkg_add as root has full control of the system.
