|
|
||
|---|---|---|
| .github/workflows | ||
| bin | ||
| etc/rc.d | ||
| libexec/portzap | ||
| man/man8 | ||
| share/portzap | ||
| .editorconfig | ||
| .projectile | ||
| .shellcheckrc | ||
| Makefile | ||
| README.md | ||
About
The portzap utility manages a local copy of the hardenedBSD ports tree in a way that is efficient, scalable, and secure. The utility provides consistent ownership and permissions for the ports tree, maintains a clean separation between root-only operations and unprivileged operations, and offers a simple workflow for updating and installing the ports tree.
Features
- Easy to use.
- A simple workflow: clone, pull, then install.
- Uses
rsyncandgitfor fast, efficient updates. - Restricts access to root and
_portzapgroup members. - Separates unprivileged operations from root-only operations.
- One dedicated user (
_portzap) for managing the ports tree. - Keeps ownership and permissions consistent in
/home/_portzap/ports/and/usr/ports/. - Delegation: mdo(1) runs commands as
_portzap. - Clear permissions: mac_do(4) rules decide who can act as
_portzap.
Commands
User
The following commands are delegated to the _portzap user and
authorized by mac_do(4) rules. By default you must be root or a
member of the _portzap group to run the following commands:
-
portzap clone
Clone the hardenedBSD ports tree into/home/_portzap/ports/ -
portzap pull
Pull updates into/home/_portzap/ports/ -
portzap sh
Run /bin/sh within/home/_portzap/ports/ -
portzap status
Show whether mac_do(4) rules are applied
Superuser
The following commands are restricted to root, or user id 0.
Permission to run the following commands is denied for any other user:
-
portzap rm
Remove the contents of/usr/ports/and/home/_portzap/ports/ -
portzap install
Install/home/_portzap/ports/into/usr/ports/ -
portzap apply
Apply mac_do(4) rules
Allows root and members of the_portzapgroup to act as the_portzapuser -
portzap unapply
Remove mac_do(4) rules
Setup
mac_do(4)
The
mac_do(4)
policy must be loaded into the kernel before portzap(8)
can use the
mdo(1)
utility successfully. This can be done in one of two ways, the
recommended way is to add the following line to /boot/loader.conf:
mac_do_load="YES"
And then reboot the system. Otherwise, the policy can be loaded manually with the following command and without a reboot:
root@localhost# kldload mac_do
Environment
After installation is complete the portzap environment should be setup.
That includes the creation of the _portzap user and group, as well as
the creation of /home/_portzap. Adding a user to the _portzap group is
recommended when you want to manage the tree as a non-root user (who will
then be delegated to _portzap). The process is mostly automated, and the
following commands should be run as a superuser:
-
portzap setup
Creates the_portzapuser and group -
portzap teardown
Tears down the_portzapuser and group -
pw groupmod _portzap -m
<user>
Add a user to the_portzapgroup.
rc.d
The rc.d script that manages the mac_do(4) rules should also be enabled:
sysrc portzap_enable="YES"
And then the service should be started:
service portzap start
Install
Package
portzap is available
from the hardenedBSD src tree.
"pkg install portzap" should work too but expect slower updates.
Source
The first step is to clone the repository.
Afterwards portzap can be installed (and deinstalled) through make.
Run the following as root (or with equivalent privileges):
git clone https://github.com/0x1eef/portzap
cd portzap
make install
make deinstall