On Wed, Feb 03, 2021 at 07:24:08PM +0000, Stuart Henderson wrote: > On 2021/02/03 17:39, James Cook wrote: > > Hi ports@, > > > > Summary: I suggest the section at > > https://www.openbsd.org/faq/ports/ports.html#PortsConfig > > should include some additional text like the following: > > > > You will need to configure doas to pass the TRUSTED_PKG_PATH variable > > when running /usr/sbin/pkg_add. Adding the "nopass" option for > > certain commands can help reduce the number of times a password needs > > to be entered. For example, add the following to doas.conf(5), > > replacing "myuser" with your username: > > > > permit nopass myuser cmd /usr/bin/touch > > permit nopass setenv { TRUSTED_PKG_PATH TERM } myuser cmd > > /usr/sbin/pkg_add > > permit nopass setenv { TERM } myuser cmd /usr/sbin/pkg_delete > > Let's not go down the 'try to evaluate every variable' path again, > keepenv is the way to go, we have spent much time figuring out weird > bugs from missing variables in the past when we have tried to > evaluate them. > > If you are going to allow pkg_add with "nopass" you might just as well > write "permit nopass myuser". An account which can run pkg_add as root > has full control of the system.
I don't have strong opinions about that. My point is just that the current documentation left me with a setup that didn't work. How about recommending keepenv instead, if that's better? -- James
