Enable builds with a dedicated user that cannot elevate privileges or write

to /usr/src or /usr/xenocara.

Change /usr/{,x}obj to owner build:wobj with mode 770 and install the
systemwide makefiles before starting a build.  The root of the noperm fs
containing DESTDIR should also be owned by build:wobj.

Developers will need to add their users to group wobj to be able to write
to /usr/{,x}obj/.

"push forward" deraadt; testing, input & ok rpe

1 files changed, 4 insertions, 2 deletions

diff --git a/share/mk/bsd.own.mk b/share/mk/bsd.own.mk
index 82d33d688f4..d2db1871218 100644
--- a/share/mk/bsd.own.mk
+++ b/share/mk/bsd.own.mk
@@ -1,4 +1,4 @@
-#	$OpenBSD: bsd.own.mk,v 1.180 2016/10/05 18:00:41 natano Exp $
+#	$OpenBSD: bsd.own.mk,v 1.181 2016/11/19 14:20:58 tb Exp $
 #	$NetBSD: bsd.own.mk,v 1.24 1996/04/13 02:08:09 thorpej Exp $
 
 # Host-specific overrides
@@ -128,7 +128,9 @@ DEFAULT_PIE_DEF=-DPIE_DEFAULT=1
 NOPROFILE=
 .endif
 
-BUILDUSER?= ${USER}
+BUILDUSER?= build
+WOBJGROUP?= wobj
+WOBJUMASK?= 007
 
 BSD_OWN_MK=Done