From 9ee6e93f883adaf039aaefb38944383b53d3e1db Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 19 Nov 2016 14:20:58 +0000
Subject: [PATCH] Enable builds with a dedicated user that cannot elevate
 privileges or write to /usr/src or /usr/xenocara.

Change /usr/{,x}obj to owner build:wobj with mode 770 and install the
systemwide makefiles before starting a build.  The root of the noperm fs
containing DESTDIR should also be owned by build:wobj.

Developers will need to add their users to group wobj to be able to write
to /usr/{,x}obj/.

"push forward" deraadt; testing, input & ok rpe
---
 src/etc/Makefile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/etc/Makefile b/src/etc/Makefile
index fdada477..155e4ae2 100644
--- a/src/etc/Makefile
+++ b/src/etc/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.444 2016/11/05 09:14:37 rpe Exp $
+#	$OpenBSD: Makefile,v 1.445 2016/11/19 14:20:58 tb Exp $
 
 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@@ -238,6 +238,9 @@ release:
 .else
 
 release:
+	umask ${WOBJUMASK}; exec ${MAKE} do-release
+
+do-release:
 	@if [[ `id -u` -ne 0 ]]; then \
 		echo $@ must be called by root >&2; \
 		false; \
@@ -273,7 +276,7 @@ sha:
 .endif	# DESTDIR check
 
 distrib:
-	cd ../distrib && \
+	umask 022; cd ../distrib && \
 	    ${MAKE} && exec ${MAKE} install
 
 .PHONY: distribution-etc-root-var distribution distrib-dirs \