You are not logged in.
- Topics: Active | Unanswered
#1 2024-05-07 15:15:25
- daniel_shub
- Member
- Registered: 2012-06-21
- Posts: 89
[SOLVED] Is calling sudo in a PKGBUILD allowed/safe
I am having trouble building https://aur.archlinux.org/packages/cockpit-file-sharing. My build user is limited on what commands it can call with sudo because of this security vulnerability: https://gitlab.archlinux.org/archlinux/ … 0e05308965
The cockpit-file-sharing AUR package calls `sudo make install RESTART_COCKPIT=1` which seems fishy to me. When I remove the sudo part, it crashes. I cannot understand the make file (https://github.com/45Drives/cockpit-fil … n/Makefile) well enough to understand where it crashes or why it needs root permissions.
Is this AUR package safe to build on a remote machine and then copy and install the package on a different machine?
Last edited by daniel_shub (2024-05-09 19:57:12)
Offline
#2 2024-05-07 15:21:41
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 12,079
Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe
Using sudo in a PKGBUILD is completely and totally wrong. Generally it's used to install things into the actual filesystem instead of staging them in $pkgdir, which means they're now untracked and the package isn't valid.
With a valid package, yes, building on one machine and installing on another is safe and normal. That's what's done with all packages in the repos.
Offline
#3 2024-05-07 15:35:21
- daniel_shub
- Member
- Registered: 2012-06-21
- Posts: 89
Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe
Thanks. That is what I thought, but wanted some confirmation before leaving a comment on the package page.
Offline
#4 2024-05-08 15:06:40
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,033
Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe
This is what it tries but fails to do without the use of sudo
==> Starting package()...
cp -af system_files/* /
Installing file-sharing
Creating install directory
mkdir -p /usr/share/cockpit/file-sharing
cp: cannot stat 'system_files/*'mkdir: : No such file or directory cannot create directory ‘/usr/share/cockpit/file-sharing’
: Permission denied
make: [Makefile:124: system-files-install] Error 1 (ignored)
make: *** [Makefile:104: plugin-install-file-sharing] Error 1
==> ERROR: A failure occurred in package().Online
#5 2024-05-08 18:30:55
- stanczew
- Member
- Registered: 2021-03-02
- Posts: 91
Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe
That's what happens when make tries to install into /usr instead of $pkgdir/usr.
I believe the make call should be replaced with:
make DESTDIR="$pkgdir" installRestarting the service after update should probably be left to the user. If it really needs to be done automatically, I'd say the relevant systemctl calls should be placed in the 'install' file.
Offline
#6 2024-05-08 18:41:01
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,033
Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe
If it really needs to be done automatically, I'd say the relevant systemctl calls should be placed in the 'install' file.
That can easily end up with an install script that does everything for the user the maintainer thinks should be done such as https://aur.archlinux.org/cgit/aur.git/ … ll?h=aegir
Last edited by loqs (2024-05-08 18:41:18)
Online
#7 2024-05-09 19:56:26
- daniel_shub
- Member
- Registered: 2012-06-21
- Posts: 89
Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe
@stanczew and @loqs thanks. I kindda threw up my hands and walked away when it would not build without sudo. The make file is not that complicated and seeing the error and the fix made me realize I could have provided a more helpful comment to the maintainer. Hopefully, they will update the package soon. I also saw someone make a comment on the makechrootpkg bug, so hopefully that will get resolved also.
As always, thank you everyone for your patience and help.
Offline