On Mon, Jul 17, 2017 at 04:39:10PM -0400, Ted Unangst wrote: > Yes, the difference is intentional. For pretty much exactly the reason you > noticed, although perhaps with the opposite result. A successful > authentication is not meant to be inherited by any random program or script > you run. A) because vague security concerns, but also B) because I think it's > weird that a script maybe works if it runs fast enough, but fails if it takes > five minutes to get to doas. Like "make; doas make install" works on a fast > machine but fails unexectedly on a slower machine. > > A more robust approach to this problem is to invert privilege. Start as root, > then drop to another user.
Thank you for explaining; I suspected the reasoning was such. Speaking specifically about ports, is there a way to start a port build as root and then drop priviledges (in a similar manner to the base system's build infrastructure)? A quick glance through bsd.port.mk(5) suggests that this isn't (yet) possible. (A possible workaround is to run "make fetch" as a normal user, "make prepare" as root and "make build" as normal user etc, however if there are dependencies which need to be built at the "make prepare" stage then they are built as root.) Regards
