Delegate 'portzap clone|pull' to the _portzap user (via doas)

Makefile

@@ -1,18 +1,21 @@
 PREFIX = /usr/local
 BINDIR = $(PREFIX)/bin
-LIBEXECDIR = $(PREFIX)/libexec/portzap
 MANDIR = $(PREFIX)/man/man8
+LIBEXECDIR = $(PREFIX)/libexec/portzap
+SHAREDIR = $(PREFIX)/share/portzap
 
 install:
-	install -d $(BINDIR) $(LIBEXECDIR) $(MANDIR)
+	install -d $(BINDIR) $(LIBEXECDIR) $(SHAREDIR) $(MANDIR)
 	install -m 0755 bin/portzap $(BINDIR)
 	install -m 0755 libexec/portzap/* $(LIBEXECDIR)
+	install -m 0644 share/portzap/* $(SHAREDIR)
 	install -m 0644 man/man8/portzap.8 $(MANDIR)
 
 deinstall:
+	rm $(BINDIR)/portzap
+	rm $(MANDIR)/portzap.8
 	rm -rf $(LIBEXECDIR)
-	rm -f $(BINDIR)/portzap
-	rm -f $(MANDIR)/portzap.8
+	rm -rf $(SHAREDIR)
 
 shellcheck:
 	shellcheck bin/portzap

README.md

@@ -8,16 +8,20 @@ portzap is a utility that manages a local copy of the
 **CLI**
 
     # Clone the hardenedbsd ports tree into /home/_portzap/ports/.
+    # This command is delegated to the '_portzap' user.
     $ portzap clone
 
     # Pull updates into /home/_portzap/ports/.
+    # This command is delegated to the '_portzap' user.
     $ portzap pull
 
     # Install /home/_portzap/ports/ into /usr/ports/.
+    # This command requires root privileges.
     # portzap install
 
     # Add the portzap user, group and home directory.
-    # portzap adduser
+    # This command requires root privileges.
+    # portzap setup
 
 **ENVIRONMENT VARIABLES**
 
@@ -34,9 +38,14 @@ portzap is a utility that manages a local copy of the
     $ git clone https://github.com/0x1eef/portzap.git
     $ cd portzap
     # make install
-    # portzap adduser
+    # portzap setup
     # pw groupmod -n _portzap -m <user>
 
+## Requirements
+
+* [doas](https://man.openbsd.org/doas) <br>
+  pkg install doas
+
 ## Sources
 
 * [GitHub](https://github.com/0x1eef/portzap)

bin/portzap

@@ -43,21 +43,21 @@ case $1 in
     "clone")
         require_dependency git
         require_membership_of _portzap
-        "${libexec}"/portzap-clone "${giturl}" "${gitdir}"
+        doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}"
         ;;
     "pull")
         require_dependency git
         require_membership_of _portzap
-        "${libexec}"/portzap-pull "${gitdir}"
+        doas -u _portzap "${libexec}"/portzap-pull "${gitdir}"
         ;;
     "install")
         require_root
         require_dependency git
         "${libexec}"/portzap-install "${gitdir}" "${installdir}" "${revision}"
         ;;
-    "adduser")
+    "setup")
         require_root
-        "${libexec}"/portzap-adduser
+        "${libexec}"/portzap-setup
         ;;
     *)
         printf "Usage: portzap COMMAND [OPTIONS]\n"
@@ -66,6 +66,6 @@ case $1 in
         printf "  clone    Clone the hardenedbsd ports tree.\n"
         printf "  pull     Pull updates from the hardenedbsd ports tree.\n"
         printf "  install  Install the ports tree into /usr/ports.\n"
-        printf "  adduser  Add the portzap user, group and home directory.\n"
+        printf "  setup    Add the _portzap user, group and home directory.\n"
         ;;
 esac

libexec/portzap/portzap-adduser

@@ -1,10 +0,0 @@
-#!/bin/sh -e
-
-##
-# main
-pw useradd -n _portzap \
-           -c "portzap user" \
-           -m \
-           -s /sbin/nologin
-chmod -R u=rwX,g=rwX,o= /home/_portzap/
-echo OK

libexec/portzap/portzap-clone

@@ -12,6 +12,7 @@ if [ -e "${gitdir}/.git" ]; then
     echo "Try 'portzap pull' instead."
     exit 1
 fi
-umask u=rwX,g=rwX,o=
+umask u=rwX,g=rX,o=rX
 set -x
 git clone --depth 1 "${giturl}" "${gitdir}"
+cd "${gitdir}"

libexec/portzap/portzap-pull

@@ -6,7 +6,7 @@ gitdir=$1
 
 ##
 # main
-umask u=rwX,g=rwX,o=
+umask u=rwX,g=rX,o=rX
 if [ -e "${gitdir}/.git" ]; then
     set -x
     cd "${gitdir}"

libexec/portzap/portzap-setup

@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+##
+# variables
+conf=$(cat /usr/local/share/portzap/doas.conf)
+doas=/usr/local/etc/doas.conf
+
+##
+# main
+if ! id -u _portzap > /dev/null 2>&1; then
+    pw useradd -n _portzap \
+        -c "portzap user" \
+        -m \
+        -s /sbin/nologin
+    chmod u=rwX,g=rX,o= /home/_portzap/
+echo "[ok] add _portzap user, group and home directory"
+fi
+
+if ! fgrep "${conf}" "${doas}" > /dev/null 2>&1; then
+    echo "${conf}" >> "${doas}"
+    echo "[ok] update ${doas}"
+fi

man/man8/portzap.8

@@ -12,35 +12,50 @@ portzap pull
 .br
 portzap install
 .br
-portzap adduser
+portzap setup
 .Sh DESCRIPTION
 .Nm portzap
 manages a copy of the hardenedbsd ports tree.
 .Sh EXAMPLES
-.Pp
+.sp
+.sp
 .Nm portzap clone
 .br
 Clone the hardenedbsd ports tree into /home/_portzap/ports/.
+.br
+This command is delegated to the '_portzap' user.
 .Pp
 .Nm portzap pull
 .br
 Pull updates into /home/_portzap/ports/.
+.br
+This command is delegated to the '_portzap' user.
 .Pp
 .Nm portzap install
 .br
 Install /home/_portzap/ports/ into /usr/ports/.
+.br
+This command requires root privileges.
 .Pp
-.Nm portzap adduser
+.Nm portzap setup
 .br
 Add the portzap user, group and home directory.
+.br
+This command requires root privileges.
 .Sh ENVIRONMENT VARIABLES
-.Pp
-.Bl -tag -width $PORTZAP_GITURL
-.It Ev PORTZAP_GITURL
+.sp
+.sp
+.Nm PORTZAP_GITURL
+.br
 The URL to a git repository.
+.br
 Default: https://git.hardenedbsd.org/hardenedbsd/ports.git
-.It Ev PORTZAP_INSTALLDIR
-The directory where the ports collection will be installed. Default: /usr/ports/.
+.sp
+.Nm PORTZAP_INSTALLDIR
+.br
+The directory where the ports collection will be installed.
+.br
+Default: /usr/ports/
 .Sh AUTHORS
 The
 .Nm portzap

share/portzap/doas.conf

@@ -0,0 +1,2 @@
+permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
+permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull