From: "Anthony J. Bentley" <bentley@openbsd.org>
Subject: Re: Unprivileged font cache: src
To: tech@openbsd.org
Date: Mon, 07 Jul 2025 04:05:47 -0600

Theo de Raadt writes:
> The problem really arises if you upgrade from 7.7 to 8.2 in one step.
> Sure, the -R documentation says this may not work.  But the situation is a
> bit more difficult.  It WILL NOT EVER WORK WELL moving into the future, if
> you delete that chown.  That's a bit harsh.  We would need to modify the -R
> documentation to say "Skipping versions will not work".

Indeed, I hadn't considered the implications of turning "jumping
releases is not supported" to "jumping releases will not work."

> I recommend you change your comment to:
>
> > +       # From 7.8 onwards, fontcache isn't owned by root
> > +       chown -R _fc-cache:_fc-cache /mnt/var/cache/fontconfig


diff a90b31a2b49988afcb756bd8861bba28810568ee a02c6d62b3228ee38a2b401edb81923f8a06aafe
commit - a90b31a2b49988afcb756bd8861bba28810568ee
commit + a02c6d62b3228ee38a2b401edb81923f8a06aafe
blob - a8a631901db38a5a905b1d21d29c85f4beb36b76
blob + 124060f6e30b0305b0182cdb9c04a399160a2212
--- distrib/miniroot/install.sub
+++ distrib/miniroot/install.sub
@@ -1807,6 +1807,9 @@ install_files() {
 		rm -rf /mnt/var/syspatch/*
 	fi
 
+	# From 7.8 onwards, font cache isn't owned by root
+	chown -R _fc-cache:_fc-cache /mnt/var/cache/fontconfig
+
 	# Install the set files.
 	for _f in $_get_sets; do
 		reset_watchdog
blob - 63a9597ba59d3de4195c35b2dfefe5ba97240d26
blob + 5dcc15870535141061390efc0a194bb5e438e5b4
--- etc/mtree/BSD.x11.dist
+++ etc/mtree/BSD.x11.dist
@@ -412,7 +412,7 @@
     ..
     var
         cache
-            fontconfig
+            fontconfig uname=_fc-cache gname=_fc-cache
             ..
         ..
         db
blob - e0110c0bb560b99241d53fd0bf83189332928b30
blob + d1acfcc50fb4ce79bdf4da1ace05b6414f65f499
--- usr.sbin/pkg_add/OpenBSD/PackingElement.pm
+++ usr.sbin/pkg_add/OpenBSD/PackingElement.pm
@@ -1671,10 +1671,20 @@ sub _restore_fontdir($state, $dirname)
 	}
 }
 
-sub _run_if_exists($state, $cmd, @l)
+sub _run_if_exists($state, $user, $cmd, @l)
 {
+	unshift(@l, $cmd);
 	if (-x $cmd) {
-		$state->vsystem($cmd, @l);
+		if (defined $user) {
+			my (undef, undef, $uid, $gid) = getpwnam($user);
+			if (!defined $uid) {
+				$state->log->fatal(
+				    $state->f("Couldn't change identity: no #1 user",
+				        $user));
+			}
+			unshift(@l, sub() { $state->change_user($uid, $gid); });
+		}
+		$state->vsystem(@l);
 	} else {
 		$state->errsay("#1 not found", $cmd);
 	}
@@ -1692,11 +1702,14 @@ sub finish($class, $state)
 		require OpenBSD::Error;
 
 		map { _update_fontalias($state, $_) } @l;
-		_run_if_exists($state, OpenBSD::Paths->mkfontscale, '--', @l);
-		_run_if_exists($state, OpenBSD::Paths->mkfontdir, '--', @l);
+		_run_if_exists($state, undef,
+		    OpenBSD::Paths->mkfontscale, '--', @l);
+		_run_if_exists($state, undef,
+		    OpenBSD::Paths->mkfontdir, '--', @l);
 		map { _restore_fontdir($state, $_) } @l;
 
-		_run_if_exists($state, OpenBSD::Paths->fc_cache, '--', @l);
+		_run_if_exists($state, '_fc-cache',
+		    OpenBSD::Paths->fc_cache, '--', @l);
 		$state->say("ok") if $state->verbose < 2;
 	}
 }
blob - 79286eb9c5f7359b60f9ea0a061a8c40198029fe
blob + 7797778f1746163333090a67d5a47bc2ede26de4
--- usr.sbin/sysmerge/sysmerge.sh
+++ usr.sbin/sysmerge/sysmerge.sh
@@ -184,6 +184,9 @@ sm_run() {
 	sm_add_user_grp
 	sm_cp_pkg_samples
 
+	# From 7.8 onwards, font cache isn't owned by root
+	chown -R _fc-cache:_fc-cache /var/cache/fontconfig
+
 	for _i in etcsum xetcsum pkgsum; do
 		if [[ -f /var/sysmerge/${_i} && \
 			-f ./var/sysmerge/${_i} ]] && \