diff options
| author |   natano <natano@openbsd.org> | 2016-10-05 18:00:41 +0000 |
|---|---|---|
| committer | natano <natano@openbsd.org> | 2016-10-05 18:00:41 +0000 |
| commit | 2a3ca3e957821cd3dce7f979168894ab5128cf03 (patch) | |
| tree | 24ef9d7ce64efa1623c3d1e7b3b67d3fa9cb4cbc /Makefile | |
| parent | move yyparse decl next to yyfp (diff) | |
| download | wireguard-openbsd-2a3ca3e957821cd3dce7f979168894ab5128cf03.tar.xz wireguard-openbsd-2a3ca3e957821cd3dce7f979168894ab5128cf03.zip | |
De-escalate to an unprivileged users during 'make build' and 'make release'.
- If you start make build as root, everything will be run as root.
Nothing new here. New is, that you can set BUILDUSER=somebody and the
unprived parts will be run as somebody.
- If you start make build with sudo, the unprived parts will be run as
the real user (meaning YOU). You can still set BUILDUSER=somebody and
the uprived parts will run as somebody.
- If you start make build as a normal user it will error out. "I'm sorry
Dave."
Note that DESTDIR must be on partition with the noperm flag set for make
release to work correctly as an unprivileged user.
idea and ok deraadt
input and ok tb ratchov millert
rpe, halex and probably others where part of the conversation to make
this happen, thanks!
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 19 |
1 files changed, 14 insertions, 5 deletions
@@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.126 2016/10/04 16:54:31 deraadt Exp $ +# $OpenBSD: Makefile,v 1.127 2016/10/05 18:00:41 natano Exp $ # # For more information on building in tricky environments, please see @@ -72,14 +72,23 @@ build: .ifdef GLOBAL_AUTOCONF_CACHE cp /dev/null ${GLOBAL_AUTOCONF_CACHE} .endif + @if [[ `id -u` -ne 0 ]]; then \ + echo 'must be called by root' 2>&1; \ + false; \ + fi cd ${.CURDIR}/share/mk && exec ${MAKE} install - cd ${.CURDIR}/include && ${MAKE} prereq && exec ${MAKE} includes + cd ${.CURDIR}/include && \ + su ${BUILDUSER} -c 'exec ${MAKE} prereq' && \ + exec ${MAKE} includes ${MAKE} cleandir - cd ${.CURDIR}/lib && ${MAKE} depend && ${MAKE} && \ + cd ${.CURDIR}/lib && \ + su ${BUILDUSER} -c '${MAKE} depend && exec ${MAKE}' && \ NOMAN=1 exec ${MAKE} install - cd ${.CURDIR}/gnu/lib && ${MAKE} depend && ${MAKE} && \ + cd ${.CURDIR}/gnu/lib && \ + su ${BUILDUSER} -c '${MAKE} depend && exec ${MAKE}' && \ NOMAN=1 exec ${MAKE} install - ${MAKE} depend && ${MAKE} && exec ${MAKE} install + su ${BUILDUSER} -c '${MAKE} depend && exec ${MAKE}' && \ + exec ${MAKE} install /bin/sh ${.CURDIR}/distrib/sets/makeetcset ${.CURDIR} ${MAKE} .endif |