On Wed, Feb 17, 2021 at 02:48:02PM +0000, Stuart Henderson wrote:
> On 2021/02/05 10:07, Marc Espie wrote:
> > As the idiot responsible for how the framework actually works, I'm always
> > running with keepenv.
> >
> > Building ports by hand always end up installing *whatever* as root, so
> > I don't see nopass as much of a security risk either. Heck, you're going to
> > put that shit in /usr/local/bin and run it anyway.
> >
> >
> > PORTS_PRIVSEP is a much better security measure. Preventing ports from
> > accidentally accessing the network or writing all over the system is good.
>
> Coming back to this because I thought of something..
>
> Note I am only thinking about the case with PORTS_PRIVSEP, I think anybody
> working with ports should use that by default, it's not that hard to
> work with.
>
> The place where nopass is a problem is elevating from your normal user
> account. But this is exactly the place where people are getting fed up
> with entering their password many times which is exactly why they're
> wanting to use nopass.
>
> There is a possible change that could be made to make this much safer
> (though doas is already above the proposed limit of 1000 lines of code ;)
> It could have another mode, similar to "nopass" but which, instead of
> running the elevated commands directly, prints the command line and asks
> for yes/no confirmation. This would save entering passwords all the time
> but would make it much harder to just sneak an elevated command past the
> person in front of the keyboard.
>
> It seems so obvious, I'm wondering why doas or sudo before doesn't
> already have it..
>
>
I'm not very sure how useful it would be for ports, considering the
actual commands we get to run as root, which aren't exactly short with all
the options...
