From: Stuart Henderson Subject: Re: MAINTAINER FIX: x11/emwm-utils: Enable unpriv shutdown/reboot/suspend and add pkg-readme To: izzy Meyer Cc: ports@openbsd.org, Lucas Gabriel Vuotto Date: Tue, 13 May 2025 13:51:33 +0100 On 2025/05/13 07:11, izzy Meyer wrote: > On Sat, 10 May 2025 19:04:11 +0000 > Lucas Gabriel Vuotto wrote: > > > On Sat, May 10, 2025 at 12:53:44PM -0500, izzy Meyer wrote: > > > Ended up just patching the file for simplicity. > > > > I tend to avoid patching as much as possible, but to each one their > > own. You're the maintainer anyways. > > This might make maintaining easier, but I couldn't get the -D flag in > CFLAGS to apply correctly when setting REBOOT_CMD to "/sbin/shutdown -r > now" in CFLAGS with -D. I must be missing something here: You can do it with MAKE_FLAGS = CFLAGS="${CFLAGS} -I./Xm -I${X11BASE}/include -I${LOCALBASE}/include -D'REBOOT_CMD=\"/sbin/shutdown -r now\"'" but that's harder for maintenance because you don't get notified by patch(1) if upstream changes that variable in their Makefile, which you may need to adapt to. The version with the patch is imho saner. > > This package is not installed with SUID root; warnings about lacking > > SUID root can be ignored. I don't particularly want to mess with my X setup to test it now, but if that warning does still get displayed but is irrelevant after the changes to the port, I would patch away the warning, rather than adding to the pkg-readme telling people to ignore it. : - To enable shutdown and reboot, the user should be in _shutdown : group. : - To enable suspend, the user needs to be able to run zzz(8). : : Use usermod(8) to add the user to _shutdown group. Might as well give an example for usermod: # usermod -G _shutdown : Enable apmd(8) and check zzz(8) for details about the required permissions. Neither apmd(8) nor zzz(8) are really up-front about permissions. zzz: "The protection modes on this socket govern which users may access the APM functions" apmd: "The socket is protected to mode 0660, UID 0, GID 0; this protects access to suspend requests to authorized users only." The experienced admin would realise what GID 0 is, but for user-level docs it would be clearer to mention in the pkg-readme that the user must be in group "wheel" for this to work -- however 'wheel' is a significant escalation if the only reason is to permit sleep. I wonder if it might actually be more sensible to have apmd use group _shutdown for its socket as well (and have the installer add ${ADMIN} to _shutdown like it does for wheel), but that's a change for base rather than something that can be dealt with in this port.