Download raw body.
Unprivileged font cache: xenocara
On 2025/07/01 01:41, Anthony J. Bentley wrote:
> As mentioned in the other email, this diff has to be committed at the
> same time as the src diff.
>
> matthieu@ requested that fc-cache(1) automatically drop to the _fc-cache
> user when run as root, so users don't accidentally set ownership of
> /var/cache/fontconfig or its contents back to root. Since rpki-client(8)
> does the same thing, I just copied the invocation.
>
> On its own, this would break make release. The build runs fc-cache as
> root, so if fc-cache automatically drops privileges, _fc-cache would
> be unable to interact with a noperm filesystem. So, switch to BUILDUSER,
> who can, and then chown to _fc-cache afterward.
>
> ok?
>
> diff dd403c0ad15b7afbf85456f4a63c1270196cf7ce 3e4a80d08b904d3c99d1a7c7038daaf844c0b548
> commit - dd403c0ad15b7afbf85456f4a63c1270196cf7ce
> commit + 3e4a80d08b904d3c99d1a7c7038daaf844c0b548
> blob - 0a8ae9fbee3b2ac25e932e5f867d751e96df4fa5
> blob + 45876996c3147726c57fad8e4e09237ef392c6ad
> --- dist/fontconfig/fc-cache/fc-cache.c
> +++ dist/fontconfig/fc-cache/fc-cache.c
> @@ -45,6 +45,7 @@
> #ifdef HAVE_DIRENT_H
> #include <dirent.h>
> #endif
> +#include <pwd.h>
> #include <string.h>
> #include <locale.h>
>
> @@ -380,6 +381,19 @@ main (int argc, char **argv)
> systemOnly = FcTrue;
> }
>
> + /* If started as root, priv-drop to _fc-cache */
> + if (getuid() == 0) {
> + struct passwd *pw;
> +
> + pw = getpwnam("_fc-cache");
> + if (!pw)
> + errx(1, "no _fc-cache user to revoke to");
if _fc-cache doesn't exist yet, does it matter about setting ownership
back to root? (i.e. would it make sense to fallback to old behaviour
in case sysmerge hasn't been run to add the uid/gid yet?)
(belt and braces: sysmerge could chown after the dir adding _fc-cache...)
> + if (setgroups(1, &pw->pw_gid) == -1 ||
> + setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
> + setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
> + err(1, "unable to revoke privs");
> + }
> +
> if (pledge("stdio rpath wpath cpath flock", NULL) == -1)
> err(1, "pledge");
>
> blob - 55f26f52846ce91a14eb5bfb39e1157647716751
> blob + 7019da27f23ff0a52f444e877114d9a24e0670f9
> --- font/alias/Makefile.bsd-wrapper
> +++ font/alias/Makefile.bsd-wrapper
> @@ -13,16 +13,25 @@ afterinstall:
> chmod 644 ${DESTDIR}/usr/X11R6/lib/X11/fonts/${fdir}/fonts.scale
> .endfor
> if test -z "$(DESTDIR)"; then \
> + chown ${BUILDUSER}:${WOBJGROUP} \
> + ${DESTDIR}/var/cache/fontconfig; \
> echo "fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts";\
> - fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts ;\
> + su ${BUILDUSER} -c \
> + "fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts" ;\
> + chown -R _fc-cache:_fc-cache \
> + ${DESTDIR}/var/cache/fontconfig; \
> chmod 644 ${DESTDIR}/var/cache/fontconfig/*; \
> else \
> echo "truncating font directories mtimes"; \
> find "${DESTDIR}/usr/X11R6/lib/X11/fonts" -type d \
> -exec perl -e 'utime+(stat)[8,9],$$_ for @ARGV' {} + ; \
> + chown ${BUILDUSER}:${WOBJGROUP} \
> + ${DESTDIR}/var/cache/fontconfig; \
> echo "fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts";\
> - fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts;\
> - chown root:wheel ${DESTDIR}/var/cache/fontconfig/*; \
> + su ${BUILDUSER} -c \
> + "fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts" ;\
> + chown -R _fc-cache:_fc-cache \
> + ${DESTDIR}/var/cache/fontconfig/; \
> chmod 644 ${DESTDIR}/var/cache/fontconfig/*; \
> fi
>
>
Unprivileged font cache: xenocara