Hi César,

PLEASE can you send-PR about this?

Things like this tend to get lost otherwise.
It would be great to have this in pkgsrc IMHO.

We all have to have some patience with the send-PRs.
May be it takes some time but make it urgent.
You are putting your hammer on a security risk and that is a good thing (tm).


Cheers Andreas

On Sat, Sep 02, 2006 at 06:55:27PM +0200, Alan Barrett wrote:
> On Fri, 01 Sep 2006, César Catrián Carreño wrote:
> > When the following variables are set:
> > 
> > BINPKG_SITES=""
> > DEPENDS_TARGET=bin-install
> > 
> > pkgsrc goes to root for installing the dependent package.
> > If that package doesn't exist, tries to build it.
> > Nevertheless, it doesn't drop the privileges in this situation.
> 
> This is a long-standing problem.  Once again, I offer my patches to
> make bin-install become root only for the pkg_add command, not for
> the entire build.
> 
> --apb (Alan Barrett)
> 
> Index: mk/install/bin-install.mk
> ===================================================================
> --- mk/install/bin-install.mk	9 Aug 2006 15:31:01 -0000	1.4
> +++ mk/install/bin-install.mk	2 Sep 2006 16:36:31 -0000
> @@ -24,7 +24,7 @@
>  	ftp://ftp.NetBSD.org/pub/NetBSD/packages/$${rel}/$${arch}
>  
>  _SU_BIN_INSTALL_TARGETS=	acquire-bin-install-lock
> -_SU_BIN_INSTALL_TARGETS+=	locked-su-bin-install
> +_SU_BIN_INSTALL_TARGETS+=	locked-su-bin-install-pkgadd
>  _SU_BIN_INSTALL_TARGETS+=	release-bin-install-lock
>  
>  .PHONY: acquire-bin-install-lock release-bin-install-lock
> @@ -32,34 +32,44 @@
>  release-bin-install-lock: release-localbase-lock
>  
>  # Install binary pkg, without strict uptodate-check first
> -.PHONY: su-bin-install
> -su-bin-install: ${_SU_BIN_INSTALL_TARGETS}
> +.PHONY: su-bin-install-pkgadd
> +su-bin-install-pkgadd: ${_SU_BIN_INSTALL_TARGETS}
>  
> -locked-su-bin-install:
> +locked-su-bin-install-pkgadd:
> +	${SETENV} PKG_PATH="$$pkgpath" ${PKG_ADD} ${_BIN_INSTALL_FLAGS} ${PKGNAME_REQD:U${PKGNAME}:Q}${PKG_SUFX}
> +
> +# bin-install
> +
> +bin-install:
> +	@${PHASE_MSG} "Binary install for "${PKGNAME_REQD:U${PKGNAME}:Q}
>  	@found=`${PKG_BEST_EXISTS} \"${PKGWILDCARD}\" || ${TRUE}`;	\
> -	if [ "$$found" != "" ]; then					\
> +	if [ "$$found" = "${PKGNAME}" ]; then				\
> +		: "XXX: APB" ;						\
> +		${ECHO_MSG} "${_PKGSRC_IN}> $$found is already installed."; \
> +		${SHCOMMENT} "This is not an error.";			\
> +	elif [ "$$found" != "" ]; then					\
>  		${ERROR_MSG} "$$found is already installed - perhaps an older version?"; \
>  		${ERROR_MSG} "If so, you may wish to \`\`pkg_delete $$found'' and install"; \
>  		${ERROR_MSG} "this package again by \`\`${MAKE} bin-install'' to upgrade it properly."; \
>  		exit 1;							\
>  	fi
> -	@rel=${_SHORT_UNAME_R:Q};					\
> +	rel=${_SHORT_UNAME_R:Q};					\
>  	arch=${MACHINE_ARCH:Q};						\
>  	pkgpath=${PKGREPOSITORY:Q};					\
>  	for i in ${BINPKG_SITES}; do					\
>  		pkgpath="$$pkgpath;$$i/All";				\
>  	done;								\
> +	export pkgpath;							\
>  	${STEP_MSG} "Installing ${PKGNAME} from $$pkgpath";		\
> -	if ${SETENV} PKG_PATH="$$pkgpath" ${PKG_ADD} ${_BIN_INSTALL_FLAGS} ${PKGNAME_REQD:U${PKGNAME}:Q}${PKG_SUFX}; then \
> +	if ${RECURSIVE_MAKE} ${MAKEFLAGS} bin-install-pkgadd ; then \
>  		${ECHO} "`${PKG_INFO} -e ${PKGNAME_REQD:U${PKGNAME}:Q}` successfully installed."; \
>  	else 				 				\
>  		${SHCOMMENT} "Cycle through some FTP server here";	\
>  		${STEP_MSG} "No binary package found for ${PKGNAME} -- installing from source"; \
>  		${RECURSIVE_MAKE} ${MAKEFLAGS} package			\
>  			DEPENDS_TARGET=${DEPENDS_TARGET:Q}		\
> -		&& ${RECURSIVE_MAKE} ${MAKEFLAGS} clean;		\
> +		&& : ${RECURSIVE_MAKE} ${MAKEFLAGS} clean;		\
>  	fi
>  
> -.PHONY: bin-install
> -bin-install: su-target
> -	@${PHASE_MSG} "Binary install for "${PKGNAME_REQD:U${PKGNAME}:Q}
> +.PHONY: bin-install-pkgadd
> +bin-install-pkgadd: su-target

-- 
NetBSD: If you happen to have any problem with your uptime.