diff options
| author | Martin Natano <natano@cvs.openbsd.org> | 2016-10-05 18:00:42 +0000 |
|---|---|---|
| committer | Martin Natano <natano@cvs.openbsd.org> | 2016-10-05 18:00:42 +0000 |
| commit | 10476eb8c3cf1ff8ac538bcf223d032bb935fc02 (patch) | |
| tree | 7fd9786b1496e6202e028c798ebb2d154ee11a64 | |
| parent | 0d2b0b0bb362af89ca9203fe35aff60ce86fd86b (diff) | |
De-escalate to an unprivileged users during 'make build' and 'make release'.
- If you start make build as root, everything will be run as root.
Nothing new here. New is, that you can set BUILDUSER=somebody and the
unprived parts will be run as somebody.
- If you start make build with sudo, the unprived parts will be run as
the real user (meaning YOU). You can still set BUILDUSER=somebody and
the uprived parts will run as somebody.
- If you start make build as a normal user it will error out. "I'm sorry
Dave."
Note that DESTDIR must be on partition with the noperm flag set for make
release to work correctly as an unprivileged user.
idea and ok deraadt
input and ok tb ratchov millert
rpe, halex and probably others where part of the conversation to make
this happen, thanks!
| -rw-r--r-- | Makefile | 19 | ||||
| -rw-r--r-- | etc/Makefile | 14 | ||||
| -rw-r--r-- | share/mk/bsd.own.mk | 4 |
3 files changed, 27 insertions, 10 deletions
@@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.126 2016/10/04 16:54:31 deraadt Exp $ +# $OpenBSD: Makefile,v 1.127 2016/10/05 18:00:41 natano Exp $ # # For more information on building in tricky environments, please see @@ -72,14 +72,23 @@ build: .ifdef GLOBAL_AUTOCONF_CACHE cp /dev/null ${GLOBAL_AUTOCONF_CACHE} .endif + @if [[ `id -u` -ne 0 ]]; then \ + echo 'must be called by root' 2>&1; \ + false; \ + fi cd ${.CURDIR}/share/mk && exec ${MAKE} install - cd ${.CURDIR}/include && ${MAKE} prereq && exec ${MAKE} includes + cd ${.CURDIR}/include && \ + su ${BUILDUSER} -c 'exec ${MAKE} prereq' && \ + exec ${MAKE} includes ${MAKE} cleandir - cd ${.CURDIR}/lib && ${MAKE} depend && ${MAKE} && \ + cd ${.CURDIR}/lib && \ + su ${BUILDUSER} -c '${MAKE} depend && exec ${MAKE}' && \ NOMAN=1 exec ${MAKE} install - cd ${.CURDIR}/gnu/lib && ${MAKE} depend && ${MAKE} && \ + cd ${.CURDIR}/gnu/lib && \ + su ${BUILDUSER} -c '${MAKE} depend && exec ${MAKE}' && \ NOMAN=1 exec ${MAKE} install - ${MAKE} depend && ${MAKE} && exec ${MAKE} install + su ${BUILDUSER} -c '${MAKE} depend && exec ${MAKE}' && \ + exec ${MAKE} install /bin/sh ${.CURDIR}/distrib/sets/makeetcset ${.CURDIR} ${MAKE} .endif diff --git a/etc/Makefile b/etc/Makefile index 5be76089576..22ec0e1a51c 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.435 2016/10/04 16:54:31 deraadt Exp $ +# $OpenBSD: Makefile,v 1.436 2016/10/05 18:00:41 natano Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -241,6 +241,15 @@ release: @false .else +release: + @if [[ `id -u` -ne 0 ]]; then \ + echo 'must be called by root' 2>&1; \ + false; \ + fi + su ${BUILDUSER} -c 'exec ${MAKE} release-sets' + ${MAKE} distrib + su ${BUILDUSER} -c 'exec ${MAKE} sha' + release-sets: cd ${RELEASEDIR} && rm -f SHA256 cd ../distrib/sets && exec sh maketars ${OSrev} @@ -251,9 +260,6 @@ sha: cksum -a sha256 BUILDINFO INSTALL.`arch -ks` \ ${ALL_KERNELS} ${MDEXT} ${MISETS} | sort > SHA256 -release: sha -sha: distrib -distrib: release-sets kernels release-sets: distribution kernels .endif diff --git a/share/mk/bsd.own.mk b/share/mk/bsd.own.mk index 36fa4027a90..82d33d688f4 100644 --- a/share/mk/bsd.own.mk +++ b/share/mk/bsd.own.mk @@ -1,4 +1,4 @@ -# $OpenBSD: bsd.own.mk,v 1.179 2016/09/21 18:27:55 natano Exp $ +# $OpenBSD: bsd.own.mk,v 1.180 2016/10/05 18:00:41 natano Exp $ # $NetBSD: bsd.own.mk,v 1.24 1996/04/13 02:08:09 thorpej Exp $ # Host-specific overrides @@ -128,6 +128,8 @@ DEFAULT_PIE_DEF=-DPIE_DEFAULT=1 NOPROFILE= .endif +BUILDUSER?= ${USER} + BSD_OWN_MK=Done .PHONY: spell clean cleandir obj manpages print all \ |