On 2025/12/20 19:23, Douglas Silva wrote: > 1. I have privilege separation enabled in /etc/mk.conf: > > PORTS_PRIVSEP=Yes > SUDO=doas > > 2. doas is configured to let my user run as the ports users: > > permit keepenv nopass dsilva as _pbuild > permit keepenv nopass dsilva as _pfetch > > 3. Permissions in the ports directory were fixed with the make target > "fix-permissions" > > 4. cd to a port (e.g. net/tor) and run all the make targets from "fetch" to > "extract". > > $ cd /usr/ports/net/tor > $ make fetch > $ make checksum > $ make extract
it would be clearer if you showed the output you get too. I bet it is installing build dependencies, for which it needs root, and for that yes if you're using doas (even with persist) you'll need to enter the password multiple times. (using sudo rather than doas, with "SUDO=sudo -E", gives a more comfortable experience - some loss of protection, but not as bad as using "nopass"). you can save some time by installing by hand: $ make show=BUILD_DEPENDS devel/metaauto devel/autoconf/2.69 $ make show=LIB_DEPENDS devel/libevent2 $ doas pkg_add metaauto autoconf%2.69 libevent2 > Most make targets use the privilege separation as expected, and I get no > authentication prompts. The "extract" target doesn't. > > I wonder if it's safe to run it as root? I'm not sure. I'm still trying to > learn how this works. But if that's a requirement, I think it would be best > to make it exit with an error when it's not root — to make that clear. not safe to run as root. > It seems to require authentication once for every dependency it has to build. > For the net/tor port, I get approximately 7 doas prompts — maybe more... I > didn't count. > > What am I doing wrong? >
