summaryrefslogtreecommitdiff
path: root/mk/unprivileged.mk
blob: 67095dd96555b4cb504cc826b00370f6c3d35ad7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# $NetBSD: unprivileged.mk,v 1.17 2008/11/27 19:28:01 rillig Exp $
#
# This file collects definitions that are useful when using pkgsrc as an
# unprivileged (non-root) user. It is included automatically by the
# pkgsrc infrastructure.
#
# === User-settable variables ===
#
# UNPRIVILEGED
#	Whether to build packages as unprivileged user.
#
#	Default: (undefined)
#	Possible: yes no
#
# UNPRIVILEGED_USER
#	The user name (or numeric uid) that will be used to install
#	files.
#
#	Default: The user building the package
#
# UNPRIVILEGED_GROUP
#	The group name (or numeric gid) that will be used to install
#	files.
#
#	Default: The primary group of the user building the package
#
# UNPRIVILEGED_GROUPS
#       The group names that can be used to install files.  Where a
#       per-package custom group is declared that matches a group name
#       in this variable, it will be left unmodified.  Any per-package
#       custom group not in this list will be forced to the value of
#       UNPRIVILEGED_GROUP.
#
#       Default: The complete group membership of the user building
#       the package
#
# === Package-settable variables ===
#
# PKG_USERS_VARS
#	A list of variables that hold bare user names, e.g APACHE_USER, etc.
#
# PKG_GROUPS_VARS
#	A list of variables that hold bare group names, e.g UUCP_GROUP, etc.
#
# XXX: How can the user say that some of the packages shouldn't override
# the user and group names?
#
# PRIVILEGED_STAGES
#	A list of phases (not stages) that are run as the privileged
#	user. Some packages, when installed with just-in-time-su, leave
#	temporary files in the working directory, so the "clean" phase
#	must have enough priviledges to clean them up.
#
#	Possible: clean
#	Default: (undefined)
#
# === System-defined variables ===
#
# REAL_ROOT_USER
#	The name of an omnipotent user account on the system.
#
#	XXX: Why do we have this variable when it is set to ${ROOT_USER}
#	anyway for unprivileged builds? Shouldn't packages that require
#	such a user just fail in unprivileged mode?
#	(See NOT_FOR_UNPRIVILEGED.)
#
# REAL_ROOT_GROUP
#	The primary group of the REAL_ROOT_USER.
#
# ROOT_USER
#	XXX: ???
#
# ROOT_GROUP
#	The primary group of the ROOT_USER.
#
# BINOWN, BINGRP, GAMEOWN, GAMEGRP, MANOWN, MANGRP, SHAREOWN, SHAREGRP,
# DOCOWN, DOCGRP, BINMODE, NONBINMODE
#	Ownership and permissions of the various types of files that are
#	installed by the packages.
#
#	XXX: What do we need all these different variables for? Wouldn't
#	it be ok to install all files as ROOT_USER:ROOT_GROUP?
#
# PKG_CREATE_USERGROUP
#	Since an unprivileged user normally cannot create other users
#	and groups, this pkgsrc feature is disabled.
#
#	XXX: This setting should be moved into pkg_add.
#
# PKG_REGISTER_SHELLS
#	Since an unprivileged user normally cannot add entries to
#	/etc/shells, this pkgsrc feature is disabled.
#
#	XXX: See PKG_CREATE_USERGROUP
#
# TOOLS_PLATFORM.chown, TOOLS_PLATFORM.chgrp
#	These tools cannot be used in their full extent by unprivileged
#	users.
#
#	XXX: chgrp may work for some groups.
#
# Keywords: unprivileged root override
#

_VARGROUPS+=			unprivileged
_USER_VARS.unprivileged= \
	UNPRIVILEGED UNPRIVILEGED_GROUP UNPRIVILEGED_GROUPS UNPRIVILEGED_USER
_PKG_VARS.unprivileged=	\
	PKG_USERS_VARS PKG_GROUPS_VARS
_SYS_VARS.unprivileged= \
	REAL_ROOT_USER REAL_ROOT_GROUP ROOT_USER ROOT_GROUP \
	BINOWN BINGRP GAMEOWN GAMEGRP MANOWN MANGRP SHAREOWN SHAREGRP DOCOWN DOCGRP \
	BINMODE NONBINMODE \
	PKG_CREATE_USERGROUP PKG_REGISTER_SHELLS \
	TOOLS_PLATFORM.chgrp TOOLS_PLATFORM.chown SU_CMD

_UNPRIVILEGED=		# empty
.if defined(UNPRIVILEGED) && !empty(UNPRIVILEGED:M[Yy][Ee][Ss])
_UNPRIVILEGED+=		unprivileged
.endif
.if (${_USE_DESTDIR} == "user-destdir")
_UNPRIVILEGED+=		user-destdir
.endif

.if !empty(_UNPRIVILEGED)

# Guess which user/group has to be used.
.  if !defined(UNPRIVILEGED_USER) || empty(UNPRIVILEGED_USER)
UNPRIVILEGED_USER!=	${ID} -n -u
.  endif
.  if !defined(UNPRIVILEGED_GROUP) || empty(UNPRIVILEGED_GROUP)
UNPRIVILEGED_GROUP!=	${ID} -n -g
.  endif
.  if !defined(UNPRIVILEGED_GROUPS) || empty(UNPRIVILEGED_GROUPS)
UNPRIVILEGED_GROUPS!=	${ID} -n -G
.  endif

.  if empty(_UNPRIVILEGED:Munprivileged) && !empty(_UNPRIVILEGED:Muser-destdir)
# Only do following for privileged, user-destdir builds.
_SU_ROOT_USER:=		${ROOT_USER}
REAL_ROOT_USER:=	${ROOT_USER}
REAL_ROOT_GROUP:=	${ROOT_GROUP}
.  endif

# Override super-user account.
ROOT_GROUP=		${UNPRIVILEGED_GROUP}
ROOT_USER=		${UNPRIVILEGED_USER}

# Override user/group pairs used to install files.
BINGRP=			${UNPRIVILEGED_GROUP}
BINOWN=			${UNPRIVILEGED_USER}
GAMEGRP=		${UNPRIVILEGED_GROUP}
GAMEOWN=		${UNPRIVILEGED_USER}
MANGRP=			${UNPRIVILEGED_GROUP}
MANOWN=			${UNPRIVILEGED_USER}
SHAREGRP=		${UNPRIVILEGED_GROUP}
SHAREOWN=		${UNPRIVILEGED_USER}
DOCGRP=			${UNPRIVILEGED_GROUP}
DOCOWN=			${UNPRIVILEGED_USER}

# Override installation modes.  As a regular user, we may have problems
# when overwriting files if they are not writable.
BINMODE=		755
NONBINMODE=		644

.  if !empty(_UNPRIVILEGED:Munprivileged) && empty(_UNPRIVILEGED:Muser-destdir)
# Only do the following for unprivileged, normal builds.

PKG_USERS_VARS?=	# empty
PKG_GROUPS_VARS?=	# empty
BUILD_DEFS+=		${PKG_USERS_VARS} ${PKG_GROUPS_VARS}

.if defined(SETGIDGAME) && !empty(SETGIDGAME:M[yY][eE][sS])
.  if defined(GAMES_USER)
PKG_USERS_VARS+=	GAMES_USER
.  endif
.  if defined(GAMES_GROUP)
PKG_GROUPS_VARS+=	GAMES_GROUP
.  endif
.endif

# Override per-package custom users and groups, except for groups listed
# in UNPRIVILEGED_GROUPS.
.    for _var_ in ${PKG_USERS_VARS}
${_var_}=		${UNPRIVILEGED_USER}
.    endfor
.    for _var_ in ${PKG_GROUPS_VARS}
.      if empty(UNPRIVILEGED_GROUPS:M${${_var_}})
${_var_}=		${UNPRIVILEGED_GROUP}
.      endif
.    endfor
.  endif

.endif

.if !empty(_UNPRIVILEGED:Munprivileged)
# As a regular user, creation of other users and groups won't work, so
# disable this step by default.
PKG_CREATE_USERGROUP=	NO

# Override commands that won't work as a regular user.
TOOLS_PLATFORM.chgrp=	${TRUE} chgrp
TOOLS_PLATFORM.chown=	${TRUE} chown
SU_CMD=			${SH} -c

# Do not attempt to modify /etc/shells as a regular user.
PKG_REGISTER_SHELLS=	NO
.endif