From 105b4f6594fce781f5193d05d894b1eb89c8381d Mon Sep 17 00:00:00 2001 From: 0x1eef <0x1eef@protonmail.com> Date: Sat, 20 Apr 2024 02:23:20 -0300 Subject: [PATCH] Alter default umask / mode '/home/_portzap/ports/' and '/usr/ports/' have reduced permissions for members of the '_portzap' group, who now possess read-only permissions for both directories. The 'portzap erase' command must be run by root, since members of the '_portzap' group can't delete contents of either of those directories anymore. --- README.md | 8 ++++---- libexec/portzap/portzap-clone | 2 +- libexec/portzap/portzap-erase | 4 ++-- libexec/portzap/portzap-install | 2 +- libexec/portzap/portzap-pull | 2 +- man/man8/portzap.8 | 15 ++++++++------- share/portzap/doas.conf | 4 ++-- 7 files changed, 19 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 9eb1eac..76e2f84 100644 --- a/README.md +++ b/README.md @@ -29,14 +29,14 @@ the first time. # This command is delegated to the '_portzap' user. $ portzap pull - # Start over: erase /usr/ports/ and /home/_portzap/ports/. - # This command is delegated to the '_portzap' user. - $ portzap erase - # Install /home/_portzap/ports/ into /usr/ports/. # This command requires root privileges. # portzap install + # Start over: erase /usr/ports/ and /home/_portzap/ports/. + # This command requires root privileges. + $ portzap erase + ### ENVIRONMENT diff --git a/libexec/portzap/portzap-clone b/libexec/portzap/portzap-clone index 0834e86..ca86647 100755 --- a/libexec/portzap/portzap-clone +++ b/libexec/portzap/portzap-clone @@ -8,7 +8,7 @@ git="${localbase}"/bin/git giturl=$1 gitdir=$2 branch=$3 -mode="ug=rwX,o=" +mode="u=rwX,g=rX,o=" ## # main diff --git a/libexec/portzap/portzap-erase b/libexec/portzap/portzap-erase index 2b27b2f..a4dce50 100644 --- a/libexec/portzap/portzap-erase +++ b/libexec/portzap/portzap-erase @@ -8,8 +8,8 @@ installdir=$2 ## # main -if ! "${libexec}"/isportzap-member; then - echo "[-] This command must be run by a member of the '_portzap' group" +if [ "$(id -u)" != "0" ]; then + echo "[-] This command must be run by root" exit 1 fi diff --git a/libexec/portzap/portzap-install b/libexec/portzap/portzap-install index 16da5f2..885921c 100755 --- a/libexec/portzap/portzap-install +++ b/libexec/portzap/portzap-install @@ -6,7 +6,7 @@ gitdir=$1 installdir=$2 revfile=$3 libexec=$(dirname "$0") -mode="ug=rwX,o=" +mode="u=rwX,g=rX,o=" ## # functions diff --git a/libexec/portzap/portzap-pull b/libexec/portzap/portzap-pull index 126a3a9..dbbaaba 100755 --- a/libexec/portzap/portzap-pull +++ b/libexec/portzap/portzap-pull @@ -7,7 +7,7 @@ localbase=${LOCALBASE:-/usr/local} git="${localbase}"/bin/git gitdir=$1 branch=$2 -mode="ug=rwX,o=" +mode="u=rwX,g=rX,o=" owner="_portzap:_portzap" ## diff --git a/man/man8/portzap.8 b/man/man8/portzap.8 index 85a2da7..b2c617c 100644 --- a/man/man8/portzap.8 +++ b/man/man8/portzap.8 @@ -34,19 +34,20 @@ Pull updates into /home/_portzap/ports/. .br This command is delegated to the '_portzap' user. .Pp -.Nm portzap erase -.br -Start over: erase /usr/ports/ and /home/_portzap/ports/. -.br -This command is delegated to the '_portzap' user. -.br -.Pp .Nm portzap install .br Install /home/_portzap/ports/ into /usr/ports/. .br This command requires root privileges. .Pp +.Nm portzap erase +.br +Start over: erase /usr/ports/ and /home/_portzap/ports/. +.br +This command requires root privileges. +.br +.Pp +.Pp .Sh ENVIRONMENT .sp .sp diff --git a/share/portzap/doas.conf b/share/portzap/doas.conf index bdb2b97..685df47 100644 --- a/share/portzap/doas.conf +++ b/share/portzap/doas.conf @@ -2,6 +2,6 @@ # portzap permit nopass root as _portzap cmd /usr/local/bin/git permit nopass :_portzap as _portzap cmd /usr/local/bin/git -permit nopass :_portzap as root cmd /bin/chmod args -R ug=rwX,o= /home/_portzap/ports -permit nopass :_portzap as root cmd /bin/chmod args -R ug=rwX,o= /home/_portzap/ports/.git +permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rX,o= /home/_portzap/ports +permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rX,o= /home/_portzap/ports/.git permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git