From: Christian Schulte Subject: Re: Generated microcode objects should be group writeable by group wobj - see WOBJUMASK in bsd.obj.mk To: Evan Silberman , tech@openbsd.org Date: Sun, 29 Sep 2024 16:14:53 +0200 On 9/29/24 01:37, Stuart Henderson wrote: > On 2024/09/28 14:14, Evan Silberman wrote: >> >> >>> On Sep 28, 2024, at 11:16 AM, Christian Schulte wrote: >>> >>> Building base should not require root privileges. >> >> It does, though, which release(8) and the error message you posted both state. > > Actually building doesn't, but the build infrastructure does so that it > can de-escalate to the "build" user where needed. I am talking about building, not installing. make build is different, of course. > > Adapt your build scripts to the existing infrastructure, rather than > trying to adapt infrastructure to how you think it should look to > work with your scripts. > The only thing the diff is doing is making generated firmware images group writeable by group wobj in /usr/obj. That's just consistent with the rest of the tree. I did not think this diff would lead to such a discussion. I just did the following for testing after a successful make build without any diff applied. Index: Makefile =================================================================== RCS file: /cvs/src/Makefile,v retrieving revision 1.136 diff -u -p -u -r1.136 Makefile --- Makefile 5 Apr 2020 20:14:14 -0000 1.136 +++ Makefile 29 Sep 2024 13:55:36 -0000 @@ -83,7 +83,7 @@ do-build: false; \ fi cd ${.CURDIR}/share/mk && exec ${MAKE} install - exec ${MAKE} cleandir +# exec ${MAKE} cleandir exec ${MAKE} includes cd ${.CURDIR}/lib && \ su ${BUILDUSER} -c 'exec ${MAKE}' && \ This is working on successive builds as long as the build user does not change. When the firmware images will be generated with 0664 instead of 0644, you can even change the user on successive builds like: doas make BUILDUSER=schulte -j 4 build 0x02$ userinfo schulte login schulte^ passwd * uid 1000 groups schulte wheel wsrc wobj change NEVER class staff gecos Christian Schulte dir /home/schulte shell /bin/ksh expire NEVER and that make build succeeds. No one would notice the firmware images are not group writeable by wobj when always wiping out everything. Does it do any harm to make that work? No. Is generating the firmware images not group writeable by wobj inconsistent to the rest of the tree? Yes. I am talking about being able to do a "make build" with pre-built objects in /usr/obj so that when nothing has changed, the build does not recompile the whole system for no reason. And this is already working without any changes needed just by fixing the firmware images to be group writeable by wobj. -- Christian