-.\" $OpenBSD: bsd.port.mk.5,v 1.536 2021/01/10 22:30:29 kn Exp $
+.\" $OpenBSD: bsd.port.mk.5,v 1.537 2021/02/04 22:12:03 sthen Exp $
.\"
.\" Copyright (c) 2000-2008 Marc Espie
.\"
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: January 10 2021 $
+.Dd $Mdocdate: February 4 2021 $
.Dt BSD.PORT.MK 5
.Os
.Sh NAME
permit keepenv nopass solene as _pfetch
.Ed
.Pp
+It is reasonably safe to allow your user id to run commands as the
+.Ev BUILD_USER
+or
+.Ev FETCH_USER
+and using
+.Ic nopass
+for these can save a lot of password entry, however it is inadvisable
+to allow commands like
+.Xr pkg_add 1
+to run as root without a password.
+.Pp
Note that this also means that
.Xr doas 1
must be configured to work within the chroot
created by
.Xr proot 1 .
.Pp
-If the regular user is not allowed to run privileged commands
-without entering a password,
-you may want these additional rules in
-.Xr doas.conf 5 ,
-to reduce the amount of times the password needs to be entered
-during ports work:
-.Bd -literal -offset indent
-permit nopass solene cmd /usr/bin/touch
-permit nopass setenv { \\
- TRUSTED_PKG_PATH TERM } solene cmd /usr/sbin/pkg_add
-permit nopass setenv { \\
- TERM } solene cmd /usr/sbin/pkg_delete
-.Ed
-.Pp
-Also, in such a situation,
-the regular user will still need to enter their password when
-.Xr update-plist 1
-is invoked.
-.Pp
As
.Xr dpb 1
does its own privilege dropping when run as root,
projects / openbsd / commitdiff