You are not logged in.

#1 2024-05-07 15:15:25

daniel_shub
Member
Registered: 2012-06-21
Posts: 85

[SOLVED] Is calling sudo in a PKGBUILD allowed/safe

I am having trouble building https://aur.archlinux.org/packages/cockpit-file-sharing. My build user is limited on what commands it can call with sudo because of this security vulnerability: https://gitlab.archlinux.org/archlinux/ … 0e05308965

The cockpit-file-sharing AUR package calls `sudo make install RESTART_COCKPIT=1` which seems fishy to me. When I remove the sudo part, it crashes. I cannot understand the make file (https://github.com/45Drives/cockpit-fil … n/Makefile) well enough to understand where it crashes or why it needs root permissions.

Is this AUR package safe to build on a remote machine and then copy and install the package on a different machine?

Last edited by daniel_shub (2024-05-09 19:57:12)

Offline

#2 2024-05-07 15:21:41

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,722

Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe

Using sudo in a PKGBUILD is completely and totally wrong. Generally it's used to install things into the actual filesystem instead of staging them in $pkgdir, which means they're now untracked and the package isn't valid.

With a valid package, yes, building on one machine and installing on another is safe and normal. That's what's done with all packages in the repos.

Offline

#3 2024-05-07 15:35:21

daniel_shub
Member
Registered: 2012-06-21
Posts: 85

Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe

Thanks. That is what I thought, but wanted some confirmation before leaving a comment on the package page.

Offline

#4 2024-05-08 15:06:40

loqs
Member
Registered: 2014-03-06
Posts: 17,719

Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe

This is what it tries but fails to do without the use of sudo

==> Starting package()...
cp -af system_files/* /
Installing file-sharing
Creating install directory
mkdir -p /usr/share/cockpit/file-sharing
cp: cannot stat 'system_files/*'mkdir: : No such file or directory cannot create directory ‘/usr/share/cockpit/file-sharing’
: Permission denied
make: [Makefile:124: system-files-install] Error 1 (ignored)
make: *** [Makefile:104: plugin-install-file-sharing] Error 1
==> ERROR: A failure occurred in package().

Offline

#5 2024-05-08 18:30:55

stanczew
Member
Registered: 2021-03-02
Posts: 64

Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe

That's what happens when make tries to install into /usr instead of $pkgdir/usr.

I believe the make call should be replaced with:

make DESTDIR="$pkgdir" install

Restarting the service after update should probably be left to the user. If it really needs to be done automatically, I'd say the relevant systemctl calls should be placed in the 'install' file.

Offline

#6 2024-05-08 18:41:01

loqs
Member
Registered: 2014-03-06
Posts: 17,719

Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe

stanczew wrote:

If it really needs to be done automatically, I'd say the relevant systemctl calls should be placed in the 'install' file.

That can easily end up with an install script that does everything for the user the maintainer thinks should be done such as https://aur.archlinux.org/cgit/aur.git/ … ll?h=aegir

Last edited by loqs (2024-05-08 18:41:18)

Offline

#7 2024-05-09 19:56:26

daniel_shub
Member
Registered: 2012-06-21
Posts: 85

Re: [SOLVED] Is calling sudo in a PKGBUILD allowed/safe

@stanczew and @loqs thanks. I kindda threw up my hands and walked away when it would not build without sudo. The make file is not that complicated and seeing the error and the fix made me realize I could have provided a more helpful comment to the maintainer. Hopefully, they will update the package soon. I also saw someone make a comment on the makechrootpkg bug, so hopefully that will get resolved also.

As always, thank you everyone for your patience and help.

Offline

Board footer

Powered by FluxBB