Re: A fix for pkgtools/mksandbox

To: Lloyd Parkes <lloyd%must-have-coffee.gen.nz@localhost>
Subject: Re: A fix for pkgtools/mksandbox
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Wed, 17 Dec 2025 01:45:45 +0000

> Date: Wed, 17 Dec 2025 11:18:44 +1300
> From: Lloyd Parkes <lloyd%must-have-coffee.gen.nz@localhost>
> 
> Can I commit the following patch to pkgtools/mksandbox during the pkgsrc 
> freeze?
> 
> Without this patch security/sudo will build a defective binary when 
> built in a sandbox. The resulting sudo program crashes when trying to 
> record the fact that the user has accepted the sudo lecture.

I think this is not a good idea.

The file system layout of the sandbox should depend only on the
mksandbox configuration.

It should not depend on what directories happen to exist in /var on
the host.  That's the whole point of the sandbox: to make a reliable
environment that can be blown away and reproduced.

So if creating or deleting /var/lib or /var/adm in the host affected
the sandboxed environment, and made the difference between a working
or broken sudo package, I would call that a bug in mksandbox -- it
would be failing to provide adequate isolation.

Instead, can we pass configure arguments or something to security/sudo
so that it does the right thing?

Alternatively, does the sudo build look for different directories on
specific operating systems?  Having something like

	case $opsys in
	SunOS)
		mkdir $sandbox/var/adm
		;;
	Linux)
		mkdir $sandbox/var/lib
		;;
	...
	esac

wouldn't be so bad (adjust according to what is appropriate for the
operating systems).

Follow-Ups:
- Re: A fix for pkgtools/mksandbox
  - From: Lloyd Parkes

References:
- A fix for pkgtools/mksandbox
  - From: Lloyd Parkes

Prev by Date: Re: A fix for pkgtools/mksandbox
Next by Date: Re: REPLACE_xxx and USE_TOOLS+= xxx
Previous by Thread: Re: A fix for pkgtools/mksandbox
Next by Thread: Re: A fix for pkgtools/mksandbox
Indexes:

Home | Main Index | Thread Index | Old Index