Using the OpenBSD ports tree with dedicated users

Author: Solène

Date: 11 January 2020

Tags: openbsd

NILIf you want to contribute to OpenBSD ports collection you will want to enable

the`PORTS_PRIVSEP` feature. When this variable is set, ports system will use

dedicated users for tasks.

Source tarballs will be downloaded by the user

_pfetch and all compilation and packaging

will be done by the user _pbuild.

Those users are created at system install and pf have a default rule to

prevent _pbuild user doing network access. This will prevent ports

from doing network stuff, and this is what you want.

This adds a big security to the porting process and any malicious code

run by ports being compiled will be harmless.

In order to enable this feature, a few changes must be made.

The file /etc/mk.conf must contains

PORTS_PRIVSEP=yes

SUDO=doas

Then, /etc/doas.conf must allows your user to become \_pfetch and \_pbuild

permit keepenv nopass solene as _pbuild

permit keepenv nopass solene as _pfetch

permit keepenv solene as root

If you don't want to use the last line, there is an explanation in the

bsd.port.mk(5) man page.

Finally, within the ports tree, some permissions must be changed.

chown -R _pfetch:_pfetch /usr/ports/distfiles

chown -R _pbuild:_pbuild /usr/ports/{packages,plist,pobj,bulk}

If directories doesn't exist yet on your system (this is the case on a fresh

ports checkout / untar), you can create them with the commands:

install -d -o _pfetch -g _pfetch /usr/ports/distfiles

install -d -o _pbuild -g _pbuild /usr/ports/{packages,plist,pobj,bulk}

Now, when you run a command in the ports tree, privileges should be dropped to

according users.