Subject: setuid-root binaries and unprivileged builds
To: NetBSD Packages Technical Discussion List <>
From: Johnny C. Lam <>
List: tech-pkg
Date: 06/15/2007 15:08:53
After Roland's rousing talk at pkgsrcCon/Barcelona, I'm playing with 
unprivileged builds on my pkgsrc system.  I've just installed my first 
package that has a setuid-root binary, but of course, that doesn't get 
installed correctly at the moment.  I'm wondering what the correct 
action should be?

I was thinking of modifying the +PERMS script to handle this situation. 
  The install scripts would grow another shell-settable variable 
PKG_ALLOW_SETGUID which defaults to "yes".  If PKG_ALLOW_SETGUID is 
"yes", then just go ahead and set the mode on set[gu]id programs.  If 
it's "no", then set the mode to 0000 and warn the admin to set the right 
user, group and mode.

Then for unprivileged builds, we default to PKG_ALLOW_SETGUID to "no".



	-- Johnny Lam <>