From: "Anthony J. Bentley" Subject: Unprivileged font cache: xenocara To: tech@openbsd.org Date: Tue, 01 Jul 2025 01:41:22 -0600 As mentioned in the other email, this diff has to be committed at the same time as the src diff. matthieu@ requested that fc-cache(1) automatically drop to the _fc-cache user when run as root, so users don't accidentally set ownership of /var/cache/fontconfig or its contents back to root. Since rpki-client(8) does the same thing, I just copied the invocation. On its own, this would break make release. The build runs fc-cache as root, so if fc-cache automatically drops privileges, _fc-cache would be unable to interact with a noperm filesystem. So, switch to BUILDUSER, who can, and then chown to _fc-cache afterward. ok? diff dd403c0ad15b7afbf85456f4a63c1270196cf7ce 3e4a80d08b904d3c99d1a7c7038daaf844c0b548 commit - dd403c0ad15b7afbf85456f4a63c1270196cf7ce commit + 3e4a80d08b904d3c99d1a7c7038daaf844c0b548 blob - 0a8ae9fbee3b2ac25e932e5f867d751e96df4fa5 blob + 45876996c3147726c57fad8e4e09237ef392c6ad --- dist/fontconfig/fc-cache/fc-cache.c +++ dist/fontconfig/fc-cache/fc-cache.c @@ -45,6 +45,7 @@ #ifdef HAVE_DIRENT_H #include #endif +#include #include #include @@ -380,6 +381,19 @@ main (int argc, char **argv) systemOnly = FcTrue; } + /* If started as root, priv-drop to _fc-cache */ + if (getuid() == 0) { + struct passwd *pw; + + pw = getpwnam("_fc-cache"); + if (!pw) + errx(1, "no _fc-cache user to revoke to"); + if (setgroups(1, &pw->pw_gid) == -1 || + setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 || + setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) + err(1, "unable to revoke privs"); + } + if (pledge("stdio rpath wpath cpath flock", NULL) == -1) err(1, "pledge"); blob - 55f26f52846ce91a14eb5bfb39e1157647716751 blob + 7019da27f23ff0a52f444e877114d9a24e0670f9 --- font/alias/Makefile.bsd-wrapper +++ font/alias/Makefile.bsd-wrapper @@ -13,16 +13,25 @@ afterinstall: chmod 644 ${DESTDIR}/usr/X11R6/lib/X11/fonts/${fdir}/fonts.scale .endfor if test -z "$(DESTDIR)"; then \ + chown ${BUILDUSER}:${WOBJGROUP} \ + ${DESTDIR}/var/cache/fontconfig; \ echo "fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts";\ - fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts ;\ + su ${BUILDUSER} -c \ + "fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts" ;\ + chown -R _fc-cache:_fc-cache \ + ${DESTDIR}/var/cache/fontconfig; \ chmod 644 ${DESTDIR}/var/cache/fontconfig/*; \ else \ echo "truncating font directories mtimes"; \ find "${DESTDIR}/usr/X11R6/lib/X11/fonts" -type d \ -exec perl -e 'utime+(stat)[8,9],$$_ for @ARGV' {} + ; \ + chown ${BUILDUSER}:${WOBJGROUP} \ + ${DESTDIR}/var/cache/fontconfig; \ echo "fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts";\ - fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts;\ - chown root:wheel ${DESTDIR}/var/cache/fontconfig/*; \ + su ${BUILDUSER} -c \ + "fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts" ;\ + chown -R _fc-cache:_fc-cache \ + ${DESTDIR}/var/cache/fontconfig/; \ chmod 644 ${DESTDIR}/var/cache/fontconfig/*; \ fi