4424b4c08b
* Introduce USE_GAMESGROUP, which causes the games user and group to be made available. * Retain SETGIDGAME as an alias for USE_GAMESGROUP. Describe it as deprecated. * Always define GAMES_USER, GAMES_GROUP, GAMEMODE, GAMEDIRMODE, and GAMEDATAMODE, regardless of whether USE_GAMESGROUP is turned on or not. * Define these variables in defaults/mk.conf instead of separately in every platform/*.mk file. The definitions used to be the same for each of these platforms anyway, except for some where they were randomly missing or commented out for no clear reason, leading to broken game packages. * Handle all these variables properly when unprivileged. * Update the comments/documentation for these variables. * Describe GAMEOWN and GAMEGRP as deprecated. These need to be retained as aliases for GAMES_USER and GAMES_GROUP respectively for supporting packages that use bsd.*.mk but should otherwise not be used. * Add GAMEDATA_PERMS and GAMEDIR_PERMS using GAMEDATAMODE and GAMEDIRMODE respectively. * Fix a bug I noticed that was improperly mixing the "games" group and "games" user. Things this does *not* do: - get rid of GAMES_USER, for which there should ultimately be no need. - move the declaration/documentation/default value of USE_GAMESGROUP to a suitable place. (It is currently where SETGIDGAME was, which is suboptimal.) - touch any of the games, all of which need updating with at least s/SETGIDGAME/USE_GAMESGROUP/ and probably more. - update the guide to explain how to handle games properly. Also, it would be nice if using GAMES_GROUP without setting USE_GAMESGROUP=yes caused an error but as far as I know there isn't any particularly good way to arrange this right now. Note that these changes may alter the build/install behavior of broken game packages, e.g. some may silently become setgid when they weren't before or things like that. If you run into any of this file a PR. While one might arguably bump the PKGREVISION of all games or other packages using any of these variables as a precaution, that seems like a bad idea. Instead, I think I will be bumping each game once it itself has been fixed up to do everything the right way.
212 lines
6.2 KiB
Makefile
212 lines
6.2 KiB
Makefile
# $NetBSD: unprivileged.mk,v 1.21 2010/07/08 04:57:36 dholland Exp $
|
|
#
|
|
# This file collects definitions that are useful when using pkgsrc as an
|
|
# unprivileged (non-root) user. It is included automatically by the
|
|
# pkgsrc infrastructure.
|
|
#
|
|
# === User-settable variables ===
|
|
#
|
|
# UNPRIVILEGED
|
|
# Whether to build packages as unprivileged user.
|
|
#
|
|
# Default: (undefined)
|
|
# Possible: yes no
|
|
#
|
|
# UNPRIVILEGED_USER
|
|
# The user name (or numeric uid) that will be used to install
|
|
# files.
|
|
#
|
|
# Default: The user building the package
|
|
#
|
|
# UNPRIVILEGED_GROUP
|
|
# The group name (or numeric gid) that will be used to install
|
|
# files.
|
|
#
|
|
# Default: The primary group of the user building the package
|
|
#
|
|
# UNPRIVILEGED_GROUPS
|
|
# The group names that can be used to install files. Where a
|
|
# per-package custom group is declared that matches a group name
|
|
# in this variable, it will be left unmodified. Any per-package
|
|
# custom group not in this list will be forced to the value of
|
|
# UNPRIVILEGED_GROUP.
|
|
#
|
|
# Default: The complete group membership of the user building
|
|
# the package
|
|
#
|
|
# === Package-settable variables ===
|
|
#
|
|
# PKG_USERS_VARS
|
|
# A list of variables that hold bare user names, e.g APACHE_USER, etc.
|
|
#
|
|
# PKG_GROUPS_VARS
|
|
# A list of variables that hold bare group names, e.g UUCP_GROUP, etc.
|
|
#
|
|
# XXX: How can the user say that some of the packages shouldn't override
|
|
# the user and group names?
|
|
#
|
|
# PRIVILEGED_STAGES
|
|
# A list of phases (not stages) that are run as the privileged
|
|
# user. Some packages, when installed with just-in-time-su, leave
|
|
# temporary files in the working directory, so the "clean" phase
|
|
# must have enough priviledges to clean them up.
|
|
#
|
|
# Possible: clean
|
|
# Default: (undefined)
|
|
#
|
|
# === System-defined variables ===
|
|
#
|
|
# REAL_ROOT_USER
|
|
# The name of an omnipotent user account on the system.
|
|
#
|
|
# XXX: Why do we have this variable when it is set to ${ROOT_USER}
|
|
# anyway for unprivileged builds? Shouldn't packages that require
|
|
# such a user just fail in unprivileged mode?
|
|
# (See NOT_FOR_UNPRIVILEGED.)
|
|
#
|
|
# REAL_ROOT_GROUP
|
|
# The primary group of the REAL_ROOT_USER.
|
|
#
|
|
# ROOT_USER
|
|
# XXX: ???
|
|
#
|
|
# ROOT_GROUP
|
|
# The primary group of the ROOT_USER.
|
|
#
|
|
# BINOWN, BINGRP, GAMEOWN, GAMEGRP, MANOWN, MANGRP, SHAREOWN, SHAREGRP,
|
|
# DOCOWN, DOCGRP, BINMODE, NONBINMODE
|
|
# Ownership and permissions of the various types of files that are
|
|
# installed by the packages.
|
|
#
|
|
# XXX: What do we need all these different variables for? Wouldn't
|
|
# it be ok to install all files as ROOT_USER:ROOT_GROUP?
|
|
#
|
|
# PKG_CREATE_USERGROUP
|
|
# Since an unprivileged user normally cannot create other users
|
|
# and groups, this pkgsrc feature is disabled.
|
|
#
|
|
# XXX: This setting should be moved into pkg_add.
|
|
#
|
|
# PKG_REGISTER_SHELLS
|
|
# Since an unprivileged user normally cannot add entries to
|
|
# /etc/shells, this pkgsrc feature is disabled.
|
|
#
|
|
# XXX: See PKG_CREATE_USERGROUP
|
|
#
|
|
# TOOLS_PLATFORM.chown, TOOLS_PLATFORM.chgrp
|
|
# These tools cannot be used in their full extent by unprivileged
|
|
# users.
|
|
#
|
|
# XXX: chgrp may work for some groups.
|
|
#
|
|
# Keywords: unprivileged root override
|
|
#
|
|
|
|
_VARGROUPS+= unprivileged
|
|
_USER_VARS.unprivileged= \
|
|
UNPRIVILEGED UNPRIVILEGED_GROUP UNPRIVILEGED_GROUPS UNPRIVILEGED_USER
|
|
_PKG_VARS.unprivileged= \
|
|
PKG_USERS_VARS PKG_GROUPS_VARS
|
|
_SYS_VARS.unprivileged= \
|
|
REAL_ROOT_USER REAL_ROOT_GROUP ROOT_USER ROOT_GROUP \
|
|
BINOWN BINGRP GAMEOWN GAMEGRP MANOWN MANGRP SHAREOWN SHAREGRP DOCOWN DOCGRP \
|
|
BINMODE NONBINMODE \
|
|
PKG_CREATE_USERGROUP PKG_REGISTER_SHELLS \
|
|
TOOLS_PLATFORM.chgrp TOOLS_PLATFORM.chown SU_CMD
|
|
|
|
_UNPRIVILEGED= # empty
|
|
.if defined(UNPRIVILEGED) && !empty(UNPRIVILEGED:M[Yy][Ee][Ss])
|
|
_UNPRIVILEGED+= unprivileged
|
|
.endif
|
|
.if (${_USE_DESTDIR} == "user-destdir")
|
|
_UNPRIVILEGED+= user-destdir
|
|
.endif
|
|
|
|
.if !empty(_UNPRIVILEGED)
|
|
|
|
# Guess which user/group has to be used.
|
|
. if !defined(UNPRIVILEGED_USER) || empty(UNPRIVILEGED_USER)
|
|
UNPRIVILEGED_USER!= ${ID} -n -u
|
|
. endif
|
|
. if !defined(UNPRIVILEGED_GROUP) || empty(UNPRIVILEGED_GROUP)
|
|
. if "$(OPSYS)" == "Interix" # For at least Interix 3.5 SP-8.0.1969.1
|
|
UNPRIVILEGED_GROUP!= ${ID} -g
|
|
. else
|
|
UNPRIVILEGED_GROUP!= ${ID} -n -g
|
|
. endif
|
|
. endif
|
|
. if !defined(UNPRIVILEGED_GROUPS) || empty(UNPRIVILEGED_GROUPS)
|
|
UNPRIVILEGED_GROUPS!= ${ID} -n -G
|
|
. endif
|
|
|
|
. if empty(_UNPRIVILEGED:Munprivileged) && !empty(_UNPRIVILEGED:Muser-destdir)
|
|
# Only do following for privileged, user-destdir builds.
|
|
_SU_ROOT_USER:= ${ROOT_USER}
|
|
REAL_ROOT_USER:= ${ROOT_USER}
|
|
REAL_ROOT_GROUP:= ${ROOT_GROUP}
|
|
. endif
|
|
|
|
# Override super-user account.
|
|
ROOT_GROUP= ${UNPRIVILEGED_GROUP}
|
|
ROOT_USER= ${UNPRIVILEGED_USER}
|
|
|
|
. if !empty(_UNPRIVILEGED:Munprivileged)
|
|
# Override "games" account.
|
|
GAMES_GROUP= ${UNPRIVILEGED_GROUP}
|
|
GAMES_USER= ${UNPRIVILEGED_USER}
|
|
GAMEDATAMODE= 0644
|
|
GAMEDIRMODE= 0755
|
|
GAMEMODE= 0755
|
|
. endif
|
|
|
|
# Override user/group pairs used to install files.
|
|
BINGRP= ${UNPRIVILEGED_GROUP}
|
|
BINOWN= ${UNPRIVILEGED_USER}
|
|
GAMEGRP= ${UNPRIVILEGED_GROUP}
|
|
GAMEOWN= ${UNPRIVILEGED_USER}
|
|
MANGRP= ${UNPRIVILEGED_GROUP}
|
|
MANOWN= ${UNPRIVILEGED_USER}
|
|
SHAREGRP= ${UNPRIVILEGED_GROUP}
|
|
SHAREOWN= ${UNPRIVILEGED_USER}
|
|
DOCGRP= ${UNPRIVILEGED_GROUP}
|
|
DOCOWN= ${UNPRIVILEGED_USER}
|
|
|
|
# Override installation modes. As a regular user, we may have problems
|
|
# when overwriting files if they are not writable.
|
|
BINMODE= 755
|
|
NONBINMODE= 644
|
|
|
|
. if !empty(_UNPRIVILEGED:Munprivileged) && empty(_UNPRIVILEGED:Muser-destdir)
|
|
# Only do the following for unprivileged, normal builds.
|
|
|
|
PKG_USERS_VARS?= # empty
|
|
PKG_GROUPS_VARS?= # empty
|
|
BUILD_DEFS+= ${PKG_USERS_VARS} ${PKG_GROUPS_VARS}
|
|
|
|
# Override per-package custom users and groups, except for groups listed
|
|
# in UNPRIVILEGED_GROUPS.
|
|
. for _var_ in ${PKG_USERS_VARS}
|
|
${_var_}= ${UNPRIVILEGED_USER}
|
|
. endfor
|
|
. for _var_ in ${PKG_GROUPS_VARS}
|
|
. if empty(UNPRIVILEGED_GROUPS:M${${_var_}})
|
|
${_var_}= ${UNPRIVILEGED_GROUP}
|
|
. endif
|
|
. endfor
|
|
. endif
|
|
|
|
.endif
|
|
|
|
.if !empty(_UNPRIVILEGED:Munprivileged)
|
|
# As a regular user, creation of other users and groups won't work, so
|
|
# disable this step by default.
|
|
PKG_CREATE_USERGROUP= NO
|
|
|
|
# Override commands that won't work as a regular user.
|
|
TOOLS_PLATFORM.chgrp= ${TRUE} chgrp
|
|
TOOLS_PLATFORM.chown= ${TRUE} chown
|
|
SU_CMD= ${SH} -c
|
|
|
|
# Do not attempt to modify /etc/shells as a regular user.
|
|
PKG_REGISTER_SHELLS= NO
|
|
.endif
|