Subject: Re: Has anyone tried building -current as non-root from scratch recently?
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 03/25/2001 14:32:58
[ On Sunday, March 25, 2001 at 19:24:06 (+1000), Luke Mewburn wrote: ]
> Subject: Re: Has anyone tried building -current as non-root from scratch recently?
>
> There's work in progress to enable this, both as a non-root user and
> in a cross-compile environment. The idea is to be able to build a
> release into a DESTDIR, and build the tar files (or packages) and
> any filesystems, all as a non root user.

I thought about this again the other day while cleaning up the makefiles
that build i386 floppies.  I was about to hack the vnd(4) driver to
allow anyone with write permission to the device to use it, but I
realised that that could only make things worse, security-wise.

I'm now thinking that indeed the best thing would be some change to vnd
that allowed a non-privileged user to create any filesystem within a
file image, and to allow that user to set ownerships, permissions, etc.,
for any file in that filesystem, but to never (in the kernel) heed those
settings when any access is made to that mounted filesystem (in fact
maybe only the user who creates the mount will be able to access the
contents).

However since those permissions and ownership settings would be visible
in to stat() et al, an archive could be created with pax, or whatever,
which when upacked by a privileged user would populate a real filesystem
with files having the appropriate permissions.  Similarly the filesystem
image, if re-mounted by root (either through vnd, or if copied to raw
media) would be indistinguishable from one which could have been created
by root during "make build" or whatever.

This way there'd be almost no change necessary at all to the build
process -- just run it as yourself (as I mostly do now anyway).  The
only change might be the automatic creation and mounting of filesystem
image file(s) for DESTDIR.

When I first peeked at the vnd(4) driver the other day I realised that
such an idea was a bit more involved than I initially thought it might
be....

Maybe this feature is actually better implemented with a new mount flag
analgous to 'nodev', 'nosuid', 'noexec', etc. (which would in fact
implicitly include all/most of those flags too), and to force that flag
to be turned on when an ordinary user mounts a filesystem from a vnd
device.

(Shouldn't vnd(4) be made into a cloning type device too so that one
doesn't have to specify some limited number fo entries in the kernel
configuration?)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>