On 2021/02/05 10:07, Marc Espie wrote: > As the idiot responsible for how the framework actually works, I'm always > running with keepenv. > > Building ports by hand always end up installing *whatever* as root, so > I don't see nopass as much of a security risk either. Heck, you're going to > put that shit in /usr/local/bin and run it anyway. > > > PORTS_PRIVSEP is a much better security measure. Preventing ports from > accidentally accessing the network or writing all over the system is good.
Coming back to this because I thought of something.. Note I am only thinking about the case with PORTS_PRIVSEP, I think anybody working with ports should use that by default, it's not that hard to work with. The place where nopass is a problem is elevating from your normal user account. But this is exactly the place where people are getting fed up with entering their password many times which is exactly why they're wanting to use nopass. There is a possible change that could be made to make this much safer (though doas is already above the proposed limit of 1000 lines of code ;) It could have another mode, similar to "nopass" but which, instead of running the elevated commands directly, prints the command line and asks for yes/no confirmation. This would save entering passwords all the time but would make it much harder to just sneak an elevated command past the person in front of the keyboard. It seems so obvious, I'm wondering why doas or sudo before doesn't already have it..
