Index | Thread | Search

From:
"Anthony J. Bentley" <bentley@openbsd.org>
Subject:
Unprivileged font cache: src
To:
tech@openbsd.org
Date:
Tue, 01 Jul 2025 01:40:57 -0600

Download raw body.

Thread 
Transitioning /var/cache/fontconfig to non-root ownership requires a few
separate changes to both base and xenocara, all of which will need to be
committed at the same time. Here are the src parts.

deraadt@ recommended manual chown in the installer; I assume it will
remain there for two releases.

The pkg_add bits are from espie (thanks).

I've tested the following cases:

- Build a full base+xenocara release with the diffs. Then on a -current
  snapshot, pkg_add a couple of fonts. (At this point, /var/cache/fontconfig
  and contents are entirely root-owned.) Run sysupgrade(8) and install
  the newly built sets.
- On a -current snapshot, pkg_add a couple of fonts. Then upgrade base
  and xenocara from source.

In both upgraded systems, new fonts can be pkg_added and existing ones
can be pkg_deleted and re-added, all with no errors, and owned by the
new _fc-cache user. So unless there's something I've overlooked, the
transition is seamless.

ok?

diff 1c3bdad1df8382eba1e67c36909c80caca3bea19 73d753b54132ced1afa7899006f91af812bbc4f0
commit - 1c3bdad1df8382eba1e67c36909c80caca3bea19
commit + 73d753b54132ced1afa7899006f91af812bbc4f0
blob - a8a631901db38a5a905b1d21d29c85f4beb36b76
blob + 7a9e4315694cb1bc9ede95da20ddd922db2e220c
--- distrib/miniroot/install.sub
+++ distrib/miniroot/install.sub
@@ -1807,6 +1807,11 @@ install_files() {
 		rm -rf /mnt/var/syspatch/*
 	fi
 
+	# Transition users to unprivileged font cache
+	if [[ $MODE == upgrade ]]; then
+		chown _fc-cache:_fc-cache /mnt/var/cache/fontconfig/*
+	fi
+
 	# Install the set files.
 	for _f in $_get_sets; do
 		reset_watchdog
blob - 63a9597ba59d3de4195c35b2dfefe5ba97240d26
blob + 5dcc15870535141061390efc0a194bb5e438e5b4
--- etc/mtree/BSD.x11.dist
+++ etc/mtree/BSD.x11.dist
@@ -412,7 +412,7 @@
     ..
     var
         cache
-            fontconfig
+            fontconfig uname=_fc-cache gname=_fc-cache
             ..
         ..
         db
blob - e0110c0bb560b99241d53fd0bf83189332928b30
blob + d1acfcc50fb4ce79bdf4da1ace05b6414f65f499
--- usr.sbin/pkg_add/OpenBSD/PackingElement.pm
+++ usr.sbin/pkg_add/OpenBSD/PackingElement.pm
@@ -1671,10 +1671,20 @@ sub _restore_fontdir($state, $dirname)
 	}
 }
 
-sub _run_if_exists($state, $cmd, @l)
+sub _run_if_exists($state, $user, $cmd, @l)
 {
+	unshift(@l, $cmd);
 	if (-x $cmd) {
-		$state->vsystem($cmd, @l);
+		if (defined $user) {
+			my (undef, undef, $uid, $gid) = getpwnam($user);
+			if (!defined $uid) {
+				$state->log->fatal(
+				    $state->f("Couldn't change identity: no #1 user",
+				        $user));
+			}
+			unshift(@l, sub() { $state->change_user($uid, $gid); });
+		}
+		$state->vsystem(@l);
 	} else {
 		$state->errsay("#1 not found", $cmd);
 	}
@@ -1692,11 +1702,14 @@ sub finish($class, $state)
 		require OpenBSD::Error;
 
 		map { _update_fontalias($state, $_) } @l;
-		_run_if_exists($state, OpenBSD::Paths->mkfontscale, '--', @l);
-		_run_if_exists($state, OpenBSD::Paths->mkfontdir, '--', @l);
+		_run_if_exists($state, undef,
+		    OpenBSD::Paths->mkfontscale, '--', @l);
+		_run_if_exists($state, undef,
+		    OpenBSD::Paths->mkfontdir, '--', @l);
 		map { _restore_fontdir($state, $_) } @l;
 
-		_run_if_exists($state, OpenBSD::Paths->fc_cache, '--', @l);
+		_run_if_exists($state, '_fc-cache',
+		    OpenBSD::Paths->fc_cache, '--', @l);
 		$state->say("ok") if $state->verbose < 2;
 	}
 }