On 07/04/14 09:18, Waldemar Brodkorb wrote: > Hi Nick, Hi @misc, > Nick Holland wrote, > >> On 07/02/14 10:54, Waldemar Brodkorb wrote: >> > Hi, >> > >> > just trying to build 5.5 stable branch and seeing that >> >> ...[checkout/compile/install as root]... >> >> > Wouldn't it be better to tell the user to add the local non-root >> > user to the wsrc group and then just do it without root permissions? >> > (changing # into $ in the examples) >> >> why? >> Answer thoughtfully, not reflexively, please. > > It might be just a personal best practice to work as less as > possible as root.
great. I'm all in favor. HOWEVER, never forget that this is a MEANS TO A GOAL, not the goal. This is a huge mistake people make all over the place. Goal: a secure and reliable system. Tool: sudo You can reach that goal without using sudo, you can use sudo and miss that goal, you can use sudo and end up breaking that goal BECAUSE of how you use it. As they say, keep your eye on the goal. I say never forget the difference between the goal and the tools to reach that goal. The so-called computer security business is filled with this error being made all over and everywhere, where the tools become the goal, and the goal is missed completely. > I even normally compile/cross-compile software > regular as non-root, because you never know how broken Makefiles and > scripts can be. Short anecdote, ten or more years ago, as I build > rpm packages for SuSE 7.x as root, I once used a official SuSE spec > file to rebuild a package and this wiped my disk. (rm -rf > /$some-empty-var problem) Since then I prefer to build software as > non-root. Great. Note that this discussion wasn't about building third party software, but the core system, which can't be completed without administrative access on your system. You can build and test many simple apps as non-root user. GREAT! but a different topic. >> You are building code that all system security depends on. If you don't >> trust the user doing this, you have a problem, doing it as non-root >> changes this situation not one bit. > > I trust the user building the code, but I don't trust my scripts in > front of that, when trying automatic builds ;) > >> You have to be root to install the kernel and the userland anyway. If >> you wish to build userland without being root, you need sudo configured >> without a password (or be sitting around to respond when it asks for a >> pw). Again, not really improving security. Maybe lessening it if >> that's against your needs. > > At the moment I followed man release and there is documented todo: > $ make SUDO=sudo build > Unfortunately this does not work on a fresh OpenBSD 5.5 for amd64 > system using cvs src code for stable branch. In the middle it tries > to ask for the password and then fails directly without any chance > to actually type the password :( This is exactly what I warned about in the paragraph above. > May be the default password timeout in sudo is to low. > Will verify with a fresh build. and ... what if I'm building on a slow SD card on an armv7 machine? Or a 25MHz sparc? Not a portable solution... > Instead > $ sudo make build > finish perfectly. ta-da, you just defeated your goal of preventing a bug in the Makefile from running away and rm -rf /'ing your system. You made using sudo your goal rather than your MEANS to your goal -- a safe, secure and reliable system. > So is the manpage wrong or does I have done a mistake? > And if the man page does suggest building as non-root, wouldn't it > be good the FAQ would just already provide information how to get > the source without need to change the permissions afterwards? quoting myself, "you need sudo configured without a password". Now, with sudo configured without a password, any script can do anything to you with an embedded "sudo rm -rf /$unsetvar" and you won't know until way too late. Of course, even WITH a password, you just know it suddenly prompted you for a pw, not why it did. Again -- sudo is a tool to help reach a noble goal. It's not the goal. >> Good administrative practices? Very possibly. But this comes down to >> local administrative policies set by people looking at the situation at >> your site. Minimizing the damage of "rm -rf /" is good. Turning off >> passwords on sudo if that's otherwise your policy is not good. > > Sure. > >> There's a philosophy that what you are doing here could totally f*** >> your system up. Not doing it as root and pretending what you do >> couldn't hurt things is bad. Maybe seeing the "#" prompt reminds you >> there are sharp edges here. > > Sometimes people have a lot of terminal open to remote systems and > then I have seen trainee admins typing "shutdown -h now", because > they want to shutdown their workstation, but accidently have > shutdown a Xen-Server with 20 productive machines running on it :) > So again, avoiding being root is just good in my experience. actually, typing "sudo shutdown -h now" isn't much of a deterent, I've found ... the hard way. (Unrelated discussion: I aliased "halt" to "echo 'wrong computer, genius'" on my local machine. I quit using "shutdown" after doing a "shutdown -h" on a remote machine I intended to do a "shutdown -r" on. Finger memory sucks sometimes) >> me? IF I'm doing this on a "General Purpose" machine, I'd probably >> check out as me, compile kernel as me, "sudo make install" the kernel, >> and "sudo make build". I should probably "SUDO=sudo make build", but >> hey, if there's something wrong in the build scripts that this saves me >> from, it would probably be best for all of you that I find out, right? >> :) If I'm building on a machine dedicated to building...I'm not seeing >> a lot of benefit to not just doing it all as root. > > Yeah, I of course have a separate virtual machine building OpenBSD > for my real systems. So it is indeed not a real issue. Just a nice > to have. Just wanna give my colleague firewall admins a chance to do > not f*** up my buildsystem ;) Don't get me wrong, I'm not saying using sudo to build the system is wrong. It is good. Maybe even better overall. Eventually, I'll probably get around to changing a lot of things to suggest less use of root (and it is most likely much more than "s/#/$ sudo/g"), but the statement that "this is wrong because the prompt is a '#' and not a '$'" is not correct. Nick.
