Hi, Nick Holland wrote, > >> You have to be root to install the kernel and the userland anyway. If > >> you wish to build userland without being root, you need sudo configured > >> without a password (or be sitting around to respond when it asks for a > >> pw). Again, not really improving security. Maybe lessening it if > >> that's against your needs. > > > > At the moment I followed man release and there is documented todo: > > $ make SUDO=sudo build > > Unfortunately this does not work on a fresh OpenBSD 5.5 for amd64 > > system using cvs src code for stable branch. In the middle it tries > > to ask for the password and then fails directly without any chance > > to actually type the password :( > > This is exactly what I warned about in the paragraph above. > > > May be the default password timeout in sudo is to low. > > Will verify with a fresh build. > > and ... what if I'm building on a slow SD card on an armv7 machine? Or > a 25MHz sparc? Not a portable solution...
Probably you misunderstood my problem here. I vote for Defaults passwd_timeout=0 in sudoers, when 'make SUDO=sudo build' is the documented way in man release to do a build. So sudo will wait infinite for my password. So even a build on a diskless hp300 workstation would succeed, when the user sometimes type in the right root password. Okay, last time I have done this is long time ago and it took a week to finish, so I would recommend to just build as root here ;) > > Instead > > $ sudo make build > > finish perfectly. > > ta-da, you just defeated your goal of preventing a bug in the Makefile > from running away and rm -rf /'ing your system. You made using sudo > your goal rather than your MEANS to your goal -- a safe, secure and > reliable system. > > > So is the manpage wrong or does I have done a mistake? > > And if the man page does suggest building as non-root, wouldn't it > > be good the FAQ would just already provide information how to get > > the source without need to change the permissions afterwards? > > quoting myself, "you need sudo configured without a password". This requirement is not documented in man release! > Don't get me wrong, I'm not saying using sudo to build the system is > wrong. It is good. Maybe even better overall. Eventually, I'll > probably get around to changing a lot of things to suggest less use of > root (and it is most likely much more than "s/#/$ sudo/g"), but the > statement that "this is wrong because the prompt is a '#' and not a '$'" > is not correct. I don't say it is wrong. I just say it might be better to use $ in front of the cvs commands to match the documented behavior in man release. You do not need to do "s/#/$ sudo/g" here, but simply "s/#/$/" to get what I mean. Should I prepare a patch to make it more clear? So in short, man release points to anoncvs.html to document how to get source via cvs, there you say you might use root to get the source. But further in man release it is suggested to build the source as non-root with make SUDO=sudo build. best regards Waldemar
