sudo port security (was: MacPorts shell mode)

[Joshua Root]

Chris Jones wrote:
> On 19 Oct 2017, at 9:07 pm, Rainer Müller <raimue at macports.org> wrote:
>> However, in terms of security, allowing to run 'port'
>> without password is equivalent to allowing the user to run any command.
> 
> Well,  not entirely true. It only lets you run whatever port lets you do. The fact that port lets you do what you show below is for me more an issue with port being too flexible, than anything else. If it we up to me I would ‘t have options like —editor as part of port. 

The --editor option is one of the least of your problems. The nature of 
Portfiles is to execute arbitrary commands, and sometimes they even need 
to do it as root. We take some steps to mitigate the risks of this, but 
they are imperfect (and ironically it has been getting harder each time 
Apple adds more security measures to the OS).

Bottom line, if someone can get port to read a Portfile they wrote, 
assume they can run any command, as Rainer said. If they can run port as 
root, they can run their commands as root.

>> One of the simplest possible ways to gain privileges would be something
>> like 'sudo port edit --editor <...>'. That definitely affects security.
>> 
>> Of course in the end it is still the decision of each user whether this
>> is grave enough or if the enhanced user experience is more important.
> 
> Indeed. My point was really just to point out it was not required to completely open up sudo, it can be limited to specific commands. 

And I think we all agree with this point.

- Josh