pkgsrc/mk/unprivileged.mk

211 lines
6.2 KiB
Makefile

# $NetBSD: unprivileged.mk,v 1.24 2022/11/23 11:59:38 jperkin Exp $
#
# This file collects definitions that are useful when using pkgsrc as an
# unprivileged (non-root) user. It is included automatically by the
# pkgsrc infrastructure.
#
# User-settable variables:
#
# UNPRIVILEGED
# Whether to build packages as unprivileged user.
#
# Default: (undefined)
# Possible: yes no
#
# UNPRIVILEGED_USER
# The user name (or numeric uid) that will be used to install
# files.
#
# Default: The user building the package
#
# UNPRIVILEGED_GROUP
# The group name (or numeric gid) that will be used to install
# files.
#
# Default: The primary group of the user building the package
#
# UNPRIVILEGED_GROUPS
# The group names that can be used to install files. Where a
# per-package custom group is declared that matches a group name
# in this variable, it will be left unmodified. Any per-package
# custom group not in this list will be forced to the value of
# UNPRIVILEGED_GROUP.
#
# Default: The complete group membership of the user building
# the package
#
# Package-settable variables:
#
# PKG_USERS_VARS
# A list of variables that hold bare user names, e.g APACHE_USER, etc.
#
# PKG_GROUPS_VARS
# A list of variables that hold bare group names, e.g UUCP_GROUP, etc.
#
# XXX: How can the user say that some of the packages shouldn't override
# the user and group names?
#
# PRIVILEGED_STAGES
# A list of phases (not stages) that are run as the privileged
# user. Some packages, when installed with just-in-time-su, leave
# temporary files in the working directory, so the "clean" phase
# must have enough priviledges to clean them up.
#
# Possible: clean
# Default: (undefined)
#
# === System-defined variables ===
#
# REAL_ROOT_USER
# The name of an omnipotent user account on the system.
#
# XXX: Why do we have this variable when it is set to ${ROOT_USER}
# anyway for unprivileged builds? Shouldn't packages that require
# such a user just fail in unprivileged mode?
# (See NOT_FOR_UNPRIVILEGED.)
#
# REAL_ROOT_GROUP
# The primary group of the REAL_ROOT_USER.
#
# ROOT_USER
# XXX: ???
#
# ROOT_GROUP
# The primary group of the ROOT_USER.
#
# BINOWN, BINGRP, GAMEOWN, GAMEGRP, MANOWN, MANGRP, SHAREOWN, SHAREGRP,
# DOCOWN, DOCGRP, BINMODE, NONBINMODE
# Ownership and permissions of the various types of files that are
# installed by the packages.
#
# XXX: What do we need all these different variables for? Wouldn't
# it be ok to install all files as ROOT_USER:ROOT_GROUP?
#
# PKG_CREATE_USERGROUP
# Since an unprivileged user normally cannot create other users
# and groups, this pkgsrc feature is disabled.
#
# XXX: This setting should be moved into pkg_add.
#
# PKG_REGISTER_SHELLS
# Since an unprivileged user normally cannot add entries to
# /etc/shells, this pkgsrc feature is disabled.
#
# XXX: See PKG_CREATE_USERGROUP
#
# TOOLS_PLATFORM.chown, TOOLS_PLATFORM.chgrp
# These tools cannot be used in their full extent by unprivileged
# users.
#
# XXX: chgrp may work for some groups.
#
# Keywords: unprivileged root override
#
_VARGROUPS+= unprivileged
_USER_VARS.unprivileged= \
UNPRIVILEGED UNPRIVILEGED_GROUP UNPRIVILEGED_GROUPS UNPRIVILEGED_USER
_PKG_VARS.unprivileged= \
PKG_USERS_VARS PKG_GROUPS_VARS
_SYS_VARS.unprivileged= \
REAL_ROOT_USER REAL_ROOT_GROUP ROOT_USER ROOT_GROUP \
BINOWN BINGRP GAMEOWN GAMEGRP MANOWN MANGRP SHAREOWN SHAREGRP DOCOWN DOCGRP \
BINMODE NONBINMODE \
PKG_CREATE_USERGROUP PKG_REGISTER_SHELLS \
TOOLS_PLATFORM.chgrp TOOLS_PLATFORM.chown SU_CMD
_UNPRIVILEGED= # empty
.if defined(UNPRIVILEGED) && !empty(UNPRIVILEGED:M[Yy][Ee][Ss])
_UNPRIVILEGED+= unprivileged
.endif
.if (${_USE_DESTDIR} == "user-destdir")
_UNPRIVILEGED+= user-destdir
.endif
.if !empty(_UNPRIVILEGED)
# Guess which user/group has to be used.
. if !defined(UNPRIVILEGED_USER) || empty(UNPRIVILEGED_USER)
UNPRIVILEGED_USER!= ${ID} -n -u
MAKEFLAGS+= UNPRIVILEGED_USER=${UNPRIVILEGED_USER:Q}
. endif
. if !defined(UNPRIVILEGED_GROUP) || empty(UNPRIVILEGED_GROUP)
UNPRIVILEGED_GROUP!= ${ID} -n -g
MAKEFLAGS+= UNPRIVILEGED_GROUP=${UNPRIVILEGED_GROUP:Q}
. endif
. if !defined(UNPRIVILEGED_GROUPS) || empty(UNPRIVILEGED_GROUPS)
UNPRIVILEGED_GROUPS!= ${ID} -n -G
MAKEFLAGS+= UNPRIVILEGED_GROUPS=${UNPRIVILEGED_GROUPS:Q}
. endif
. if empty(_UNPRIVILEGED:Munprivileged) && !empty(_UNPRIVILEGED:Muser-destdir)
# Only do following for privileged, user-destdir builds.
_SU_ROOT_USER:= ${ROOT_USER}
REAL_ROOT_USER:= ${ROOT_USER}
REAL_ROOT_GROUP:= ${ROOT_GROUP}
. endif
# Override super-user account.
ROOT_GROUP= ${UNPRIVILEGED_GROUP}
ROOT_USER= ${UNPRIVILEGED_USER}
. if !empty(_UNPRIVILEGED:Munprivileged)
# Override "games" account.
GAMES_GROUP= ${UNPRIVILEGED_GROUP}
GAMES_USER= ${UNPRIVILEGED_USER}
GAMEDATAMODE= 0644
GAMEDIRMODE= 0755
GAMEMODE= 0755
. endif
# Override user/group pairs used to install files.
BINGRP= ${UNPRIVILEGED_GROUP}
BINOWN= ${UNPRIVILEGED_USER}
GAMEGRP= ${UNPRIVILEGED_GROUP}
GAMEOWN= ${UNPRIVILEGED_USER}
MANGRP= ${UNPRIVILEGED_GROUP}
MANOWN= ${UNPRIVILEGED_USER}
SHAREGRP= ${UNPRIVILEGED_GROUP}
SHAREOWN= ${UNPRIVILEGED_USER}
DOCGRP= ${UNPRIVILEGED_GROUP}
DOCOWN= ${UNPRIVILEGED_USER}
# Override installation modes. As a regular user, we may have problems
# when overwriting files if they are not writable.
BINMODE= 755
NONBINMODE= 644
. if !empty(_UNPRIVILEGED:Munprivileged) && empty(_UNPRIVILEGED:Muser-destdir)
# Only do the following for unprivileged, normal builds.
PKG_USERS_VARS?= # empty
PKG_GROUPS_VARS?= # empty
BUILD_DEFS+= ${PKG_USERS_VARS} ${PKG_GROUPS_VARS}
# Override per-package custom users and groups, except for groups listed
# in UNPRIVILEGED_GROUPS.
. for _var_ in ${PKG_USERS_VARS}
${_var_}= ${UNPRIVILEGED_USER}
. endfor
. for _var_ in ${PKG_GROUPS_VARS}
. if empty(UNPRIVILEGED_GROUPS:M${${_var_}})
${_var_}= ${UNPRIVILEGED_GROUP}
. endif
. endfor
. endif
.endif
.if !empty(_UNPRIVILEGED:Munprivileged)
# As a regular user, creation of other users and groups won't work, so
# disable this step by default.
PKG_CREATE_USERGROUP= NO
# Override commands that won't work as a regular user.
TOOLS_PLATFORM.chgrp= ${TRUE} chgrp
TOOLS_PLATFORM.chown= ${TRUE} chown
SU_CMD= ${SH} -c
# Do not attempt to modify /etc/shells as a regular user.
PKG_REGISTER_SHELLS= NO
.endif