From: Morgan Aldridge Subject: Re: make extract asks for authentication multiple times with PORTS_PRIVSEP To: Douglas Silva Cc: "ports@openbsd.org" Date: Sat, 20 Dec 2025 16:43:28 -0500 On Sat, Dec 20, 2025 at 14:25 Douglas Silva wrote: > 1. I have privilege separation enabled in /etc/mk.conf: > > PORTS_PRIVSEP=Yes > SUDO=doas > > 2. doas is configured to let my user run as the ports users: > > permit keepenv nopass dsilva as _pbuild > permit keepenv nopass dsilva as _pfetch > > 3. Permissions in the ports directory were fixed with the make target > "fix-permissions" > > 4. cd to a port (e.g. net/tor) and run all the make targets from "fetch" > to "extract". > > $ cd /usr/ports/net/tor > $ make fetch > $ make checksum > $ make extract > > Most make targets use the privilege separation as expected, and I get no > authentication prompts. The "extract" target doesn't. Did you also add your user to the 'wsrc'[0] and 'wobj'[1] groups? If so, did you log out and back in for the changes to take effect? Per the Ports FAQ[2]: "Again, ports can be _built_ as a user, but must be _installed_ by root or with doas(1)." > I wonder if it's safe to run it as root? I'm not sure. I'm still trying to learn how this works. But if that's a requirement, I think it would be best to make it exit with an error when it's not root — to make that clear. I would say not. Per the PORTS_PRIVSEP documentation in bsd.port.mk(5): "It is reasonably safe to allow your user id to run commands as the BUILD_USER or FETCH_USER and using nopass for these can save a lot of password entry, however it is inadvisable to allow commands like pkg_add(1) to run as root without a password." Hope that helps. Morgan [0] [1] [3] [4] >