Author: Michael Lucas

Writer. Sysadmin. Owns this site.
Posted on

Next Nonfiction Book

I’ve made it a practice to not announce book topics or titles until the book is well underway. Writing a big book takes not less than a year (Absolute FreeBSD) and up to three years (Absolute OpenBSD, 2nd ed). Once I hand in the completed first draft to the publisher, there’s editing, tech edits, copyedit, page layout, and so on. It’s a few months to get the book into production.

Delaying the announcement also gives me the chance to determine if the book is realistic. I’ve made no secret that I write about topics that I’m not qualified to cover. I’ve had more than one tech book that I’ve started, only to discover three chapters in that I am so not the person to write this book. Delaying announcing the topic gives me a chance to back out without anybody knowing.

I’m trying something a little different this time. My next book will be published by Tilted Windmill Press (my private label) and much smaller than my BSD tomes. I have an outline. I’ve done the reading. My educational lab work is done (meaning that my rate of screaming “Why isn’t this working?” has dropped from thrice hourly to twice daily). And I’m doing a fairly wide variety of work with the topic in the next six months.

The next book is on (drum roll please): DNSSec. Blame Richard Bejtlich. (I wish I could find the tweet in question, but seriously, how am I supposed to resist him declaring “You’re our only hope?” Flattery will get you anywhere. Especially if you’ve given me enough cover quote copy to last the rest of my career.)

Writing the book concurrently with implementing DNSSec across great big piles of domains with multiple registrars should give me all sorts of problems to write about, and give my readers more benefit from my real-world pain.

I know a lot of people don’t like DNSSec, have cogent arguments why DNSSec is poo, and really wish it would go away. They take me writing a book about it as a refutation of their arguments. It’s not. But DNSSec is here. It’s the standard. We’ve got to deal with it. And the supporting software has improved to the point where DNSSec can be implemented by the typical overworked sysadmin, rather than only crypto fans.

DNSSec also gets you things like SSHFP records and vendor-free SSL certificates. The former is convenient. The latter will eliminate any excuse for unencrypted communications.

Why announce this ahead of time? For one, you’ll probably see me griping about random pieces of DNSSec boneheadedness on Twitter. The savvy will be able to guess. Announcing the book will help keep my nonfiction writing focused. It’s still possible that someone will rush a book into print ahead of me, but the shorter cycle of independent publishing reduces that risk. The audience and community reaction to SSH Mastery is also encouraging; I know that if I write a good book, my readers will tell others about it, regardless of the publisher. If someone beats me to print, my readers will still support me.

And if I write a crap book, it deserves to fail.

(As an aside: having readers who tell their friends and co-workers about my books is freaking awesome. I could not publish books if you didn’t support my work. Thank you.)

Ideally, I’ll have this book out for BSDCan 2013. Tilted Windmill Press is the BSDCan T-shirt sponsor, so having a book out for the conference would be a good idea.

More questions? Too bad. That’s all I know right now. Except that now that I’ve set and announced a goal, my life will go horribly askew specifically to delay me.

Posted on

1st draft of Absolute OpenBSD, 2nd Ed. complete

Last night, I finished the first draft of the new edition of Absolute OpenBSD.

This is the longest book I’ve ever written (23 chapters). It’s taken longer than any other nonfiction book (3 years). Now that a first draft exists, I can state with some confidence that the book will be out about next spring-ish.

As a first draft exists, if I get trampled by a rabid caribou between now and then, the book will still come out.

This weekend is the first time in years that I will have had no work to do on the book. (Unless Henning sends me corrections on the few chapters he has left.) I plan to gaze blankly into space for several hours.

Posted on

Absolute OpenBSD 2nd Edition status, 15 November 2012

Chapters 1-22 are written. Only chapter 23 remains.

The first 23 chapters are either in preliminary tech review (Henning Brauer), editing (No Starch Press), technical review (Peter Hansteen), or copyediting (No Starch Press). And every time any one of those folks are done, the chapter comes back to me for rewrites. Which is as it should be, of course… unlike some publishers, NSP gives me every chance to improve the book, as opposed to having some unpaid intern with a degree in medieval lit “fix” the text.

One chapter to go. Back to writing…

Posted on

Easy Security Project: standalone ssh-ldap-helper

I’ve been waiting for quite a while for an official way to centrally manage user authentication keys in OpenSSH. If you have a dozen servers, copying authorized_keys files around is a pain. If you have more than that, it’s really really painful. The OpenSSH guys have had good reasons for not wanting to link LDAP libraries straight into OpenSSH. They also gave some general guidance of what they’d want to see in a patch that supported LDAP authentication.

Jan Chadima from Redhat took OpenSSH up on this, wrote a patch as per spec, and submitted it to OpenSSH. And Damien Miller committed it. LDAP support for OpenSSH will be in 6.2…

…sort of.

The patch adds support for getting a user’s authorized_keys file from a helper program. Redhat includes a helper program, ssh-ldap-helper. That program is not in the OpenSSH patch. And, truthfully, there’s no reason it should be in the main OpenSSH distribution. We’ll see helpers for LDAP, for database lookups, for FUSE and HTTP and whatever weird data storage people come up with. I don’t want the OpenSSH guys spending their time writing these helpers.

But the source code for ssh-ldap-helper is in the Red Hat source RPM. As far as I can tell, it’s under a BSD license.

If you’re looking for a way to contribute to the OpenSSH user community, however, digging into the RPM (it’s just a tarfile), extracting the included OpenSSH code, and adding the patch for ssh-ldap-helper, ssh-ldap-wrapper, and the man page is pretty easy. I got that far, after all! I imagine that someone with a little bit of knowledge could make it compile on xBSD. Or at least, it’s a place to start.

You’d make my life a lot easier. And give me more time to finish the new edition of Absolute OpenBSD. That’s what you lot want me to do with my time, isn’t it? (I’ll have a post on that status in a few days.)

I also have to give props to Red Hat on this. They had a need in OpenSSH. They were given the requirements for that need to be met in mainline OpenSSH. And they met those needs and submitted the patch. Everyone cooperated, everyone gets what they need. That is how open source should work. Given how some other open source companies and projects are behaving lately, this makes me feel pretty good about the BSD community.

Posted on

Amazon Author Rank vs Writers

Amazon recently introduced Author Rank, where they list authors in order of popularity. I’ve had a lot of discussions about this feature and what it means to writers.

Amazon provides a surprising number of features for authors. Their Author Central system lets me see how many of which book sold, and where, over a given time period. There’s a neat little app that shows where in the country my books sold, according to Bookscan data. Bookscan data might not be complete, but it’s more information than my twice yearly No Starch royalty statements. I know that in the last four weeks, five of my NSP books sold in the SF-Oakland-San Jose area, and 4 in Washington, DC. That’s interesting, and for a tech author those sales numbers are not too shabby.

I choose the word “interesting” carefully. It’s interesting. But it’s not exactly useful. If these geographic sales charts show that I was consistently selling quite well in Amarillo, Texas, I might be inclined to see what’s going on down there. But the sales basically hit exactly where I expect: Silicon Valley, Washington DC, RTP, NYC, with others trailing.

An author can spend hours trawling through his sales data this way. It’s interesting, but: this data doesn’t help you sell books. It makes sense that you’d kill a couple hours the first time you get the data, but as an ongoing thing, it just takes up time. You’d be better off writing.

Author Central also gives graphs of how your books as a whole, or all your books, sell over time.

sales graph

Looking at this, I might think “Wow. What did I do the week of March 7, 2011? Why did that book do so well that week? And how can I repeat this?” The answer is, I didn’t do anything. This sales spike had nothing to do with me. I wrote a good book. Someone ordered a bunch of copies, perhaps for a test, perhaps for their company, or perhaps because the paper the book is printed on is thin and soft. All I can do is be appreciative of “the folks who bought my book,” whoever they are.

The more insidious question would be: “why have my sales dropped since then?” I have an easy answer. My print sales have dropped, but my ebook sales have increased. Also, technology books have a lifespan. I’m pleasantly stunned that the five-year-old Absolute FreeBSD is still selling this well, but I have no right to expect this trend to continue.

It’s conceivable that I might find a use for this data. If my books consistently sell well in Amarillo, a place not known for its high tech business, I’d probably want to investigate and see what’s happening down there. Perhaps I would somehow use Amarillo in a new book, to give a nod to that readership. But the data fits my expectations, so it won’t change anything I do.

Also, this graph contains data. X number of book Y sold in Week Z. Those are real numbers. Not terribly useful, but interesting.

Now consider the Amazon Author Rank graph.

rank graph

On October 5th, I was the #11,117th most popular author on Amazon. Think about that for a moment.

What is popularity? How is it calculated? What is that supposed to mean? Is that an average based on the sales of all of my books, or my sales in aggregate? How are authors ranked? Without this kind of knowledge, this chart isn’t data. It’s an arbitrary rank, no better than Klout. I’d actually find my Scalzi Number more useful; I know how that’s calculated, and hence could derive a shallow meaning from it.

This number will cause an author some kind of emotional reaction. Maybe they’re disappointed that 11,116 authors are more popular than them. Maybe they’re thrilled that hundreds of thousands of authors are less popular than them. Either way, this reaction does not help an author with their craft.

Ranking authors by some unknown popularity algorithm? It’s like high school all over again, and just as meaningful.

When this feature just came out, I exchanged tweets with other authors about it. Chris Sanders, author of Practical Packet Analysis, shared with the world that his author rank was 9425, a few thousand higher than mine.

I agree that his Practical Packet Analysis is a good book. But what am I to draw from him having a higher Amazon rank than I do?

I write the books I write. My Network Flow Analysis is the best book I can create on netflow. PPA is the best book Chris could write about Wireshark. Comparing them isn’t really possible: they’re different topics, different audiences, and completely different books. Even though both are books about networking, they are utterly different in purpose, execution, and readership.

And what does the difference mean? Does his one book sell more copies than all of my books compared together sell less than his? Could be. Even if his books outsell mine twenty-five to one, does it matter to me?

One of the very worst things an author can do is start comparing himself to other authors. That way lies despair and heartbreak. If I measured my success against Dean Koontz or James Patterson, or even Richard Stevens, I’d give up writing altogether. Because my books aren’t their books, my audience isn’t their audience, and my career is not their career. I write the best books I can. And my audience finds them useful enough to buy them. That’s enough.

You want to be a more popular author? Write the best books you can. Continuously work to improve your craft. Become a better author, and readers will come. Don’t get involved in high-school popularity contests, especially ones that offer no benefit to your career, your craft, or your ego.

Personally, I’m going to ignore Author Rank. I see no use for it. The best thing you can do is shut up and write.

And lest someone gets the wrong idea, I like Chris. If I get to Charleston, I plan to look him up and see if he’s free for lunch. I’m sure he knows where to get good barbeque. Mind you, he can pay for it. He’s the big-name popular author, after all.

Hey, maybe Author Rank isn’t completely useless…

Posted on

Get Your Haiku Published in the new “Absolute OpenBSD”

Something weird happened as I worked on the second edition of Absolute OpenBSD: people started sending me haiku. The first edition included a haiku at the beginning of each chapter, something apropos to the topic.

TCP/IP
Learn how it fits together
You cannot escape

I reviewed the old book before outlining the new version, and the haiku made me wince. They’re mediocre at best. I considered dropping them from the new edition, or perhaps replacing them with quotes on trust, but an informal Twitter poll came out overwhelmingly in favor of the haiku. This demonstrates that computing professionals have lousy taste in poetry, or that an author is permitted no opinion on the quality of his own work. Or both.

Frankly, the haiku my fans send are better than the ones I write. Some of mine are okay, but they can’t compete with someone else’s inspiration.

So, here’s the deal:

You’ll find the outline for the second edition in my September status blog post. Each chapter needs a haiku.

Post your English-language haiku here, along with valid contact information and your name as you’d like to be credited. If your haiku is better than what I have for that chapter, I’ll use yours instead of mine. By posting your haiku here, you give me permission to use it in the book. Winners will be selected by me, at my sole discretion, based on whatever criteria I feel like using at the time. Your best bet is to amuse me.

If you don’t want to post your haiku, you can email it to me. Use the subject of “ao2e haiku” to avoid the Horrible Black Void that awaits most email I receive.

What is a haiku? Real haiku are in Japanese. I can’t use real haiku — I can’t even read real haiku. For my purposes, a haiku has:

  • 5-syllable first line, 7-syllable second line, 5-syllable third line
  • A season word (i.e., summer, snow, etc)
  • A comparison

    • You might note that my leading haiku breaks two of these three rules. It amuses me, however, which is more important than any other characteristic. But if you can follow all three rules in a haiku about packet filtering, I’ll be slightly impressed.

    Both entries and attributions must be PG-rated. As in, no obscenity. Sorry, folks, I know that obscenity is a staple in sysadmin circles, but AO2e is supposed to be a clean family book.

    I’m not limiting entries per person, but I can say that if you flood me with dozens of mediocre haiku I’ll probably miss the the one awesome one you do post. (“Oh, it’s him again. Sigh.”)

    So, what’s in it for you?

    Selected haiku will appear at chapter headings in the second edition of Absolute OpenBSD, with attribution. This is your chance at eternal fame. Selected haiku-ists will get an ebook of the finished book. If I can swing a sufficient number of physical copies, I’ll give those out as well. Depends on how many winners and how many copies I get.

    Competition will remain open until I finish the first draft of the book. I’m writing frantically, hoping to get a first draft done by mid-November. If I make that deadline, the book can exist for BSDCan 2013. That would be awesome. Can I make that deadline? Dunno. I’m holding the contradictory ideas “no, that’s impossible” and “sure I can!” in my brain simultaneously.

    So, in closing:

    Lucas is lazy
    Your haiku makes him chortle?
    Get free electrons.

    Posted on

    Log Only sudo Failures

    The sudo(8) privilege management tool is very admin-friendly in that it logs successes and failures. I don’t really care when my users successfully use sudo. I do care when they use it unsuccessfully, however. A sudo failure indicates that either the user doesn’t know their system password, or they’re trying to use forbidden commands.

    sudo keeps logs. The interesting thing is, successful log messages are of priority notice, while unsuccessful attempts are of priority alert. This opens up an easy way to improve security and customer service.

    First, a user who cleverly gets root can edit your log files. forward your sudo logs to your logging host. Your users should not have access to your logging host.

    First, split your sudo logs out into two logs. You can set sudo’s syslog facility, but as I’m always short on facilities, I tend to break sudo out via program name. Here’s a syslog.conf entry.

    !sudo
    *.* /var/log/sudo
    *.alert /var/log/sudofail

    Touch the files, restart syslogd, and /var/log/sudofail will contain only password failures and attempts to run forbidden commands. The two log entries are very different.

    Sep 26 10:37:27 caddis sudo: mwlucas : command not allowed ; TTY=ttyp0 ; PWD=/home/mwlucas ; USER=root ; COMMAND=/sbin/reboot
    Sep 26 10:53:09 caddis sudo: mwlucas : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/su

    Separating this log out opens some interesting customer service possibilities. If you’re on OpenBSD, you can automatically have newsyslog email you the log of failures. Otherwise, you can set up a separate script to do that, or feed it to your alerting system, or whatever. Then have a helpdesk minion call the user in question and ask what they’re trying to do. Perhaps they’ve forgotten their password. Perhaps someone else got access to their account. Perhaps they’re having trouble. Maybe they need sudo -l explained to them.

    The end user will either feel like you’re watching out for them, or realize that your sysadmin group watches the systems very closely.

    Even if you don’t take proactive action, having sudo failures logged to a separate file simplifies digging through the logs.

    Posted on

    On Bogus Book Reviews

    There’s been a furor recently about authors faking reviews in one manner or another: Either by buying reviews, or by sock puppetry. As nobody can generate reams of morally-outraged words like offended writers, it’s created a pretty big buzz in the publishing world. Here’s my thoughts on these types of reviews. For brevity, I lump all of these reviews into a category I’m going to call “fake reviews.” It’s not strictly accurate, I know, but I can’t come up with a better phrase at the moment.

    I’m not outraged. I’ve expected this. Perhaps it’s my computer security experience, but any system that permits this kind of exploitation will be exploited. Publishing is no magic kingdom exempt from the rule of self-interest. Just because I’ve expected this, doesn’t mean I approve of it.

    Reviews are important. I depend on reviews for sales, and I depend on sales to write new books. Would I like hundreds of five-star reviews? Sure.

    Would I pay for them, or sock-puppet them? No.

    Purchasing reviews betrays a lack of confidence in your work. If your work is good, if it has an audience, that audience will find it. Eventually.

    Writing is a long game. You must have patience. In traditional publishing, a paperback book has about three months to find a readership. Today, with ebooks, online ordering, and print-on-demand, books can take years to find a readership. (My nonfiction books are different, mind you; one factor that goes into deciding if I should write a book is if I expect it to have at least a three-year lifespan. My books have considerably less time to find readers. Lucky novelist bastards.)

    The fact that I’m not willing to pay for good reviews means that I have to ask my readers for them. I walk a careful line between groveling for exposure and annoying my readers. So far, I seem to have erred on the side of not annoying my readers, but I’m OK with that. It’s better to get fewer reviews than alienate your readers.

    I send books to book reviewers. They want books to review, I want book reviews. It’s a fair trade.

    I can’t say that I would never buy a review. Never is a strong word. Purchasing a review from a reviewing business would be a business decision. But if I ever do buy reviews, they will be disclosed as such.

    On the other side of this coin:

    I occasionally review books, both on Blather and on Amazon. I frequently know the authors of these books. I don’t consider these reviews fake, but I do try to disclose my bias.

    If I review a book on this blog, it’s because I honestly think it’s awesome, or because it fills some desperate need and it’s “good enough,” or because it changed how I think about things. I review some books from No Starch Press, because they always ask me if I’m interested in their new titles. I don’t review all the books they send me. In part that’s because I’m lazy. In part it’s because I’m working on my own books. But I find the time to review the truly exceptionally awesome books they send me. (Which reminds me, I owe them a review on the Magna Guide to Linear Algebra.)

    I also review fiction books I really enjoy, but not as “Michael W Lucas, Famous-in-a-real-small-world Author.” Usually those go up under my family’s Kindle account. Do I know those authors? Some of them, sure. I’m a writer. I make friends with other writers. We sit around smoky rooms late at night, sipping absinthe and bemoaning how unfair life is to us artistic sorts. But most of my blog readers don’t really care that I think that Harry Connolly’s 20 Palaces books are unquestionably the best modern fantasy of the decade, and that everyone interested in that genre should purchase them all, immediately. You’re here for other reasons. (I have no idea what those reasons are, but they’re something about technology. Or writing. Something like that.)

    For example, I didn’t know Chris Sanders before reviewing Practical Packet Analysis. But we’ve exchanged emails several times since then, and if I ever get to his part of the world I’ll ask him if he wants to get barbeque. It’s called networking, and it makes your career go. But if he ruins the (purely hypothetical) third edition of his book, that connection won’t make me give him a five-star review. I’ll just quietly not review it.

    Same sort of thing Peter Hansteen and his Book of PF, although my chances of getting to Norway aren’t very good. And Norway isn’t noted for their barbeque. (What do they eat in Norway, anyway? From my observations at tech conferences, the answer seems to be “beer.”)

    I occasionally write reviews about books by writers I know. It’s a small world.

    If I write a review, in any genre of book, it’s because I honestly think a book is awesome. I’ll give that book 4-5 stars. I won’t give someone a 5-star review just because I’m their friend, however.

    If I read a book and I enjoy it, but it’s not awesome, I won’t review it. Just because a book doesn’t set fire to my brain doesn’t mean that book won’t speak to someone else. In computer book terms, just because a book is about Windows 7 doesn’t mean that it’s a bad book. It’s just not for me.

    Would I ever give a book a 1-star review? Sure. If a book is unprofessionally done, I’ll excoriate it. Sentences have these things called “verbs” and “nouns,” and are built with this thing called “grammar.” If a book completely fails to meet my standards for competent wordcraft, I feel free to label it a failure.

    But usually, when I get crap in my eyes I close them.

    Posted on

    Absolute OpenBSD status, 9 Sep 2012

    Those who have been following my Twitter feed know most of this, but here’s the status on this book.

  • Chapters 0-10 have been sent to No Starch. They’ve done initial edits on 0-5. I’ve responded to those edits, so they’re now off for Hansteen’s tech review.
  • Chapters 11, 14, and 17 have been sent to Henning for informal review.
  • Chapters 12, 13, and 20 partially exist.
  • Other chapters are outlines, notes, fragments, script(1) sessions, etc.
  • Oh, and the Afterword exists. Mainly because it’s 90% stolen from my blog. But still, I can cross it off the list.

    Why are things written out of order? Depends on what I’m doing at the time. Also, some chapters can be written without Internet access. Otherwise, I write chapters in order.

    I believe I’ve chopped down the outline to where it needs to be for a book roughly the same size as Absolute FreeBSD. Chapter titles are subject to change. Heck, everything is subject to change.

    0: Introduction
    1: Community Support
    2: Installation Prep
    3: Installation Walk-Through
    4: Post-Install Setup
    5: Booting
    6: User Management
    7: Root, and how to avoid it
    8: Disks & Filesystems
    9: More Filesystems
    10: OpenBSD Security Features
    11: IPv4 & IPv6
    12: Network Connections
    13: Software Management
    14: /etc
    15: Maintenance
    16: Daemons (sensorsd, snmp, etc)
    17: Desktop OpenBSD (cwm, tmux, etc)
    18: Kernel Configuration
    19: Building Custom Kernels
    20: Upgrading
    21: Packet Filtering
    22: managing PF
    23: edges
    Afterword

    Trimming to this length hurt, but one of my critical design goals is to write a book small enough to hold in the bathtub. I might sometimes recommend books that exceed that limit, but they have to be freaking awesome books.

    One thing that helps is Peter Hansteen’s Book of PF. It didn’t exist when the first edition of AO came out, so I needed to do pretty exhaustive coverage into PF. My coverage of primordial PF took three chapters in the first edition, and PF and family has roughly doubled its features since then. He does an excellent deep dive into PF, so I can reduce those chapters.

    I’ve talked about word count before, but I need to stop doing that. The book has flailed around enough that the number of words I write isn’t exactly useful. I wrote 7,000 anti-words on Chapter 17 before sending it to Henning, for example.

    On the plus side, the AO2e narrator now sounds a little less Dexter Morgan and a little more BOFH. That’s probably a good thing.

    • Posted on

    OpenBSD read-only ports tree with restrictive sudo

    The OpenBSD folks strongly encourage users to use packages for software management. Most of the time, their packages just work. But sometimes, you must use a port.

    OpenBSD includes an updated Apache 1.3 server, and recommends that everyone use it if at all possible. (There’s also nginx, which is the future platform, but it’s not quite integrated yet.) I have a Web application that only runs on Apache 2.2, so the included Web server is not an option. OpenBSD provides an Apache 2.2 package for people like me, which is very kind of them. But I need an Apache 2.2 with LDAP authentication support. That means I must build Apache 2.2 from a port.

    If I have to use ports, then I want to do so as easily as possible. When I need to upgrade my ports, I want to be able to remove /usr/ports and extract the tarball that goes with whatever snapshot I’m running. I need the ports tree to do all its work, and store all its packages, outside the ports tree itself. This means a read-only ports tree.

    I’m running the August 22 i386 snapshot everywhere. I build packages from ports on one machine and share out the package repo via NFS.

    I dislike running as root for routine tasks, like building ports on the port-building machine. The ports tree supports using sudo for privileged operations. I don’t want to be continually interrupted to enter my password, though. And I don’t want to give unlimited root access via sudo without a password. This means that I need to lock down my account on this machine to only those activities needed to build packages from ports. I readily concede that building packages requires high-level privileges, but there’s a world of difference between rm -f /usr/ports/* and rm -rf /*. Could an intruder exploit this? Absolutely. You must run make(1) as root to build a port, and you can run fdisk(8) via make. But it will protect me from operator error. And my operators make errors.

    I also want my minions to be able to build packages without giving out root. Because, you know, logging into a system and typing a command because someone else needs a package is extra work for me.

    So, how to do this?

    First, create a system group for people who may build packages. This group contains two users, myself and lasnyder. From /etc/group:

    portbuild:*:10001:mwlucas,lasnyder

    My /home partition has lots of space, so I’ll build everything there. First, we need four directories:

  • one for building stuff: /home/ports/wrkobjdir
  • one for completed packages: /home/ports/pkgrepo
  • distfiles: /home/ports/distdir
  • package plist database: /home/ports/plist

    Create these directories, and set their ownership (as well as /home/ports) for group writing.

    # chgrp portbuild /home/ports/*
    # chmod 775 /home/ports/*

    Any user in the portbuild group can write to these directories.

    Now tell the ports system about these directories. Make the following entries in /etc/mk.conf:

    WRKOBJDIR=/home/ports/wrkobjdir
    DISTDIR=/home/ports/distdir
    PACKAGE_REPOSITORY=/home/ports/pkgrepo
    PLIST_DB=/home/ports/plist
    SUDO=/usr/bin/sudo

    (The sudo isn’t necessary for the directories, but I’m not going to send you back later to add it. That would be lame.)

    Now for sudo. Give everyone in the portbuild group permission to run any command in the PORTBUILDCMDS alias.

    %portbuild ALL= NOPASSWD: PORTBUILDCMDS

    Now create the PORTBUILDCMDS alias. I built this alias iteratively: build a port, wait for the build to fail, add the missing command with the tightest restrictions that seem sensible, clean the port, and remake it. The following alias was sufficient for everything I tried:

    Cmnd_Alias PORTBUILDCMDS = /usr/bin/install, /usr/sbin/chown, /bin/chgrp, /bin/sh -c umask, /usr/sbin/mtree, /usr/bin/touch, /usr/bin/env, /usr/sbin/pkg_create, /bin/rm -f /home/ports/pkgrepo/*, /usr/bin/make, /usr/bin/perl /usr/ports/infrastructure/bin/*, /bin/chmod 555 /home/ports/*, /bin/mkdir -p /home/ports/*, /bin/rm -rf /home/ports/*

    Now choose a port and build it.

    # cd /usr/ports/editors/vim
    # make clean && make

    (When testing, I always clean a port before building it.)

    You might find that the build stops and you’re asked for a password. This means that sudo is trying to run a command that’s not in your command alias. Go ahead and enter your password. The build will fail, because you don’t have privileges, but you’ll get an error message in /var/log/secure. Between the error in the terminal window and the error in the log file, you should be able to figure out exactly which command failed.

    It’s impossible to know ahead of time every command that will ever be used by any port that ever exists. This iterative process is a pain at first, but once you’ve built a few ports you’ll find most of the necessary commands. The sudoers command alias I include here was sufficient to build editors/vim, which calls in python, dbus, glib, three different autoconfs, tcl/tk, CUPS, and a whole bunch of other crap. (I don’t use vim myself, mind you, but if you want a port that hauls in whole bunches of stuff, it’s a good choice. I could have built Emacs, but I wanted the build to finish today.)

    In building the first port, the ports system creates a temp directory, /tmp/portlocks. The ports system doesn’t use sudo to access this directory, and the directory is owned by the user who built the first port on this system. Change the group and assign group privileges to this directory.

    # chgrp portbuild /tmp/portslocks/
    # chmod 775 /tmp/portslocks/

    (Is this a bug, or a feature. I dunno. But I’m sure that some reader will tell me.)

    It seems that not all ports can be built without running as root. This isn’t a usual configuration, so I’m not shocked that not all code paths are tested — especially when building random software from random authors. When I tried to build devel/autoconf/2.59, I got:

    ===> Building package for autoconf-2.59p3
    Create /home/ports/pkgrepo/i386/all/autoconf-2.59p3.tgz
    Warning: @option no-default-conflict without @conflict
    mv: rename /home/ports/pkgrepo/i386/tmp/autoconf-2.59p3.tgz to /home/ports/pkgre po/i386/all/autoconf-2.59p3.tgz: Permission denied
    *** Error code 1

    I reported the error to ports@ like a good little user. It’s a holiday weekend, so I’m also not surprised I haven’t heard back.

    I only hit this error after building fifty-odd ports, though. It appears that limited sudo permissions are doable.