netbsd-help: Re: pkgsrc fubar... how to apply a patch?

Subject: Re: pkgsrc fubar... how to apply a patch?
To: None <netbsd-help@netbsd.org>
From: Keith Mastin <kmastin@beechtree.ca>
List: netbsd-help
Date: 08/22/2002 11:01:34
<snip> 
>> > You don't need to compile everything as root - pkgsrc will detect this
>> > when it needs to su, and do it "just in time".  There have been two
>> > trojan attacks recently (in irssi and openssh, pkgsrc was vulnerable
>> > to the irssi one, but not openssh) and the exposure to this sort of
>> > trojan (which happens during the configure stage) is greatly reduced
>> > if you run as a normal user.
>> 
>> But then doesn't make package blow up because it won't su for you?
>> Also, how is make update (or similar) supposed to work?
>
>A check is done just before "make package", "make install", "make
>replace", "make undo-replace" and "make deinstall" - if the effective
>uid is not 0, then ${SU_CMD} is executed to gain the desrired
>privileges.
>
>It's been like that for 3 years, I think, and we haven't had any
>complaints yet.
>
>Personally, I try to limit the amount of time which I have root's
>privileges as much as possible.
>
"Do not take the name of root in vain" - Linus Torvalds, linux dude

There's another way that I've been using, I dunno yet if it works on 
NetBSD... 
Create a group admin
Make only the sysadmin a member of this group
chgrp admin /usr/local/src/ /usr/local/bin/ /usr/local/lib/ /usr/man/
chmod 0775 /usr/local/src/ /usr/local/bin/ /usr/local/lib/ /usr/man/
....now that user can add programs into these dirs, but does not have 
permission to do system-wide damage (such as rm -Rf /*)

Looking at the perms on these dirs, I see that their group is wheel, with 
perms of 0755. /usr/pkg is also grp wheel 0755, /usr/pkgsrc is grp wheel 
0775... trying to make apg as a normal user who is the only other member 
of the wheel group (besides root), I got this:
	Can't download to /usr/pkgsrc_distfiles/ (permission denied?). 
Did chmod 0664 /usr/pkgsrc_distfiles (from 0644), and tried again:
	cd: can't cd to /usr/pkgsrc_distfiles/
... there was no call to su root

So, would my scheme work if I also made the pkg, pkgsrc and 
pkgsrc_distfiles dirs writeable by group admin?

Also, why can I not install packages as a user, even as a member of wheel 
grp?

BTW... an archive search for "install packages user" turned up 2080 hits, 
the first 10 of which that I tried all timed out...

Thanx
-- 
Keith Mastin       BeechTree Information Technology Services Inc.
137 Laird Drive    Toronto    M4G 3V5     http://www.beechtree.ca
  (416)696-6070      Fax(416)696-6072      kmastin@beechtree.ca