On 2012/09/11 20:58, Michael W. Lucas wrote:
> Hi,
>
> I'm attempting to permit a group of otherwise-unprivileged users to
> build packages via sudo. You can see a post on my efforts at
> http://blather.michaelwlucas.com/archives/1421
Cmnd_Alias PORTBUILDCMDS = /usr/bin/install, /usr/sbin/chown, /bin/chgrp,
/bin/sh -c umask, /usr/sbin/mtree, /usr/bin/touch, /usr/bin/env,
/usr/sbin/pkg_create, /bin/rm -f /home/ports/pkgrepo/*, /usr/bin/make,
/usr/bin/perl /usr/ports/infrastructure/bin/*, /bin/chmod 555 /home/ports/*,
/bin/mkdir -p /home/ports/*, /bin/rm -rf /home/ports/*
I think it's safer to actually give people root - that way, at least
you know that you're giving them root.
sudo /usr/bin/install -o root -m 4755 /bin/ksh /bin/foobar
> It seems that the ports system creates a directory, /tmp/portlocks,
> owned by the user creating a port. I can change this directory to be
> owned by my port-building group and writable by the group, but is
> having these lockfiles writable by a group a problem? Is this effort
> just something better not attempted?
Not a problem. This location can be changed with LOCKDIR (it actually
defaults to ${WRKOBJDIR}/locks in -current), and note that it honours
umask.
