From ea6a5e46e56749c5c4d161980c2414130f67f64e Mon Sep 17 00:00:00 2001
From: 0x1eef <0x1eef@protonmail.com>
Date: Sun, 7 Apr 2024 20:27:18 -0300
Subject: [PATCH] Delegate 'portzap clone|pull' to the _portzap user (via doas)

---
 Makefile                        | 11 +++++++----
 README.md                       | 13 +++++++++++--
 bin/portzap                     | 10 +++++-----
 libexec/portzap/portzap-adduser | 10 ----------
 libexec/portzap/portzap-clone   |  3 ++-
 libexec/portzap/portzap-pull    |  2 +-
 libexec/portzap/portzap-setup   | 22 ++++++++++++++++++++++
 man/man8/portzap.8              | 31 +++++++++++++++++++++++--------
 share/portzap/doas.conf         |  2 ++
 9 files changed, 73 insertions(+), 31 deletions(-)
 delete mode 100755 libexec/portzap/portzap-adduser
 create mode 100755 libexec/portzap/portzap-setup
 create mode 100644 share/portzap/doas.conf

diff --git a/Makefile b/Makefile
index b6396db..35ecb59 100644
--- a/Makefile
+++ b/Makefile
@@ -1,18 +1,21 @@
 PREFIX = /usr/local
 BINDIR = $(PREFIX)/bin
-LIBEXECDIR = $(PREFIX)/libexec/portzap
 MANDIR = $(PREFIX)/man/man8
+LIBEXECDIR = $(PREFIX)/libexec/portzap
+SHAREDIR = $(PREFIX)/share/portzap
 
 install:
-	install -d $(BINDIR) $(LIBEXECDIR) $(MANDIR)
+	install -d $(BINDIR) $(LIBEXECDIR) $(SHAREDIR) $(MANDIR)
 	install -m 0755 bin/portzap $(BINDIR)
 	install -m 0755 libexec/portzap/* $(LIBEXECDIR)
+	install -m 0644 share/portzap/* $(SHAREDIR)
 	install -m 0644 man/man8/portzap.8 $(MANDIR)
 
 deinstall:
+	rm $(BINDIR)/portzap
+	rm $(MANDIR)/portzap.8
 	rm -rf $(LIBEXECDIR)
-	rm -f $(BINDIR)/portzap
-	rm -f $(MANDIR)/portzap.8
+	rm -rf $(SHAREDIR)
 
 shellcheck:
 	shellcheck bin/portzap
diff --git a/README.md b/README.md
index 32c794c..5b3fb40 100644
--- a/README.md
+++ b/README.md
@@ -8,16 +8,20 @@ portzap is a utility that manages a local copy of the
 **CLI**
 
     # Clone the hardenedbsd ports tree into /home/_portzap/ports/.
+    # This command is delegated to the '_portzap' user.
     $ portzap clone
 
     # Pull updates into /home/_portzap/ports/.
+    # This command is delegated to the '_portzap' user.
     $ portzap pull
 
     # Install /home/_portzap/ports/ into /usr/ports/.
+    # This command requires root privileges.
     # portzap install
 
     # Add the portzap user, group and home directory.
-    # portzap adduser
+    # This command requires root privileges.
+    # portzap setup
 
 **ENVIRONMENT VARIABLES**
 
@@ -34,9 +38,14 @@ portzap is a utility that manages a local copy of the
     $ git clone https://github.com/0x1eef/portzap.git
     $ cd portzap
     # make install
-    # portzap adduser
+    # portzap setup
     # pw groupmod -n _portzap -m <user>
 
+## Requirements
+
+* [doas](https://man.openbsd.org/doas) <br>
+  pkg install doas
+
 ## Sources
 
 * [GitHub](https://github.com/0x1eef/portzap)
diff --git a/bin/portzap b/bin/portzap
index 9ad0b94..1d5afcb 100755
--- a/bin/portzap
+++ b/bin/portzap
@@ -43,21 +43,21 @@ case $1 in
     "clone")
         require_dependency git
         require_membership_of _portzap
-        "${libexec}"/portzap-clone "${giturl}" "${gitdir}"
+        doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}"
         ;;
     "pull")
         require_dependency git
         require_membership_of _portzap
-        "${libexec}"/portzap-pull "${gitdir}"
+        doas -u _portzap "${libexec}"/portzap-pull "${gitdir}"
         ;;
     "install")
         require_root
         require_dependency git
         "${libexec}"/portzap-install "${gitdir}" "${installdir}" "${revision}"
         ;;
-    "adduser")
+    "setup")
         require_root
-        "${libexec}"/portzap-adduser
+        "${libexec}"/portzap-setup
         ;;
     *)
         printf "Usage: portzap COMMAND [OPTIONS]\n"
@@ -66,6 +66,6 @@ case $1 in
         printf "  clone    Clone the hardenedbsd ports tree.\n"
         printf "  pull     Pull updates from the hardenedbsd ports tree.\n"
         printf "  install  Install the ports tree into /usr/ports.\n"
-        printf "  adduser  Add the portzap user, group and home directory.\n"
+        printf "  setup    Add the _portzap user, group and home directory.\n"
         ;;
 esac
diff --git a/libexec/portzap/portzap-adduser b/libexec/portzap/portzap-adduser
deleted file mode 100755
index f48ba91..0000000
--- a/libexec/portzap/portzap-adduser
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/sh -e
-
-##
-# main
-pw useradd -n _portzap \
-           -c "portzap user" \
-           -m \
-           -s /sbin/nologin
-chmod -R u=rwX,g=rwX,o= /home/_portzap/
-echo OK
diff --git a/libexec/portzap/portzap-clone b/libexec/portzap/portzap-clone
index 0dc54da..1fa4670 100755
--- a/libexec/portzap/portzap-clone
+++ b/libexec/portzap/portzap-clone
@@ -12,6 +12,7 @@ if [ -e "${gitdir}/.git" ]; then
     echo "Try 'portzap pull' instead."
     exit 1
 fi
-umask u=rwX,g=rwX,o=
+umask u=rwX,g=rX,o=rX
 set -x
 git clone --depth 1 "${giturl}" "${gitdir}"
+cd "${gitdir}"
diff --git a/libexec/portzap/portzap-pull b/libexec/portzap/portzap-pull
index c8fc515..b38fac0 100755
--- a/libexec/portzap/portzap-pull
+++ b/libexec/portzap/portzap-pull
@@ -6,7 +6,7 @@ gitdir=$1
 
 ##
 # main
-umask u=rwX,g=rwX,o=
+umask u=rwX,g=rX,o=rX
 if [ -e "${gitdir}/.git" ]; then
     set -x
     cd "${gitdir}"
diff --git a/libexec/portzap/portzap-setup b/libexec/portzap/portzap-setup
new file mode 100755
index 0000000..b453d01
--- /dev/null
+++ b/libexec/portzap/portzap-setup
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+##
+# variables
+conf=$(cat /usr/local/share/portzap/doas.conf)
+doas=/usr/local/etc/doas.conf
+
+##
+# main
+if ! id -u _portzap > /dev/null 2>&1; then
+    pw useradd -n _portzap \
+        -c "portzap user" \
+        -m \
+        -s /sbin/nologin
+    chmod u=rwX,g=rX,o= /home/_portzap/
+echo "[ok] add _portzap user, group and home directory"
+fi
+
+if ! fgrep "${conf}" "${doas}" > /dev/null 2>&1; then
+    echo "${conf}" >> "${doas}"
+    echo "[ok] update ${doas}"
+fi
diff --git a/man/man8/portzap.8 b/man/man8/portzap.8
index 10a0d8b..1f8e622 100644
--- a/man/man8/portzap.8
+++ b/man/man8/portzap.8
@@ -12,35 +12,50 @@ portzap pull
 .br
 portzap install
 .br
-portzap adduser
+portzap setup
 .Sh DESCRIPTION
 .Nm portzap
 manages a copy of the hardenedbsd ports tree.
 .Sh EXAMPLES
-.Pp
+.sp
+.sp
 .Nm portzap clone
 .br
 Clone the hardenedbsd ports tree into /home/_portzap/ports/.
+.br
+This command is delegated to the '_portzap' user.
 .Pp
 .Nm portzap pull
 .br
 Pull updates into /home/_portzap/ports/.
+.br
+This command is delegated to the '_portzap' user.
 .Pp
 .Nm portzap install
 .br
 Install /home/_portzap/ports/ into /usr/ports/.
+.br
+This command requires root privileges.
 .Pp
-.Nm portzap adduser
+.Nm portzap setup
 .br
 Add the portzap user, group and home directory.
+.br
+This command requires root privileges.
 .Sh ENVIRONMENT VARIABLES
-.Pp
-.Bl -tag -width $PORTZAP_GITURL
-.It Ev PORTZAP_GITURL
+.sp
+.sp
+.Nm PORTZAP_GITURL
+.br
 The URL to a git repository.
+.br
 Default: https://git.hardenedbsd.org/hardenedbsd/ports.git
-.It Ev PORTZAP_INSTALLDIR
-The directory where the ports collection will be installed. Default: /usr/ports/.
+.sp
+.Nm PORTZAP_INSTALLDIR
+.br
+The directory where the ports collection will be installed.
+.br
+Default: /usr/ports/
 .Sh AUTHORS
 The
 .Nm portzap
diff --git a/share/portzap/doas.conf b/share/portzap/doas.conf
new file mode 100644
index 0000000..5ec6ddd
--- /dev/null
+++ b/share/portzap/doas.conf
@@ -0,0 +1,2 @@
+permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
+permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull