On Sat, Dec 20, 2025 at 14:25 Douglas Silva <[email protected]> wrote:
> 1. I have privilege separation enabled in /etc/mk.conf: > > PORTS_PRIVSEP=Yes > SUDO=doas > > 2. doas is configured to let my user run as the ports users: > > permit keepenv nopass dsilva as _pbuild > permit keepenv nopass dsilva as _pfetch > > 3. Permissions in the ports directory were fixed with the make target > "fix-permissions" > > 4. cd to a port (e.g. net/tor) and run all the make targets from "fetch" > to "extract". > > $ cd /usr/ports/net/tor > $ make fetch > $ make checksum > $ make extract > > Most make targets use the privilege separation as expected, and I get no > authentication prompts. The "extract" target doesn't. Did you also add your user to the 'wsrc'[0] and 'wobj'[1] groups? If so, did you log out and back in for the changes to take effect? Per the Ports FAQ[2]: "Again, ports can be _built_ as a user, but must be _installed_ by root or with doas(1)." > I wonder if it's safe to run it as root? I'm not sure. I'm still trying to learn how this works. But if that's a requirement, I think it would be best to make it exit with an error when it's not root — to make that clear. I would say not. Per the PORTS_PRIVSEP documentation in bsd.port.mk(5): "It is reasonably safe to allow your user id to run commands as the BUILD_USER or FETCH_USER and using nopass for these can save a lot of password entry, however it is inadvisable to allow commands like pkg_add(1) <https://man.openbsd.org/pkg_add.1> to run as root without a password." Hope that helps. Morgan [0] <https://www.openbsd.org/faq/faq5.html#wsrc> [1] <https://www.openbsd.org/faq/faq5.html#Miscellanea> [3] <https://www.openbsd.org/faq/ports/ports.html#PortsConfig> [4] <https://man.openbsd.org/bsd.port.mk#PORTS_PRIVSEP> >
