You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2024-11-02 20:35:41
- mvtab
- Member
- Registered: 2024-06-10
- Posts: 8
Weird problem with makepkg
Hi,
whenever I compile something with 'makepkg -sirc' I am prompted 3 times for a sudo password: when installing deps, when removing them, and when installing the package.
here's an asciinema: https://asciinema.org/a/wF8YwpkaZRVNSEm4GAI3R5ott
anybody got any idea how can I fix this? (as in, get it respect the system sudo timestamp)
Haec inconstantia, mutabilitasque mentis, quem non ipsa grauitate deterreat?
Offline
#2 2024-11-02 21:20:13
- seth
- Member
- Registered: 2012-09-03
- Posts: 65,078
Re: Weird problem with makepkg
This is strictly makepkg related?
sudo pacman -S cmatrix
cmatrix -abs # wait 30s, press the any key
sudo pacman -R cmatrix
sudo pacman -S cmatrix # because of course you want to have it back :Pdoes not cause this?
Online
#3 2024-11-02 21:56:31
- WorMzy
- Administrator
- From: Scotland
- Registered: 2010-06-16
- Posts: 12,848
- Website
Re: Weird problem with makepkg
sudo -lMay be helpful to see.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
#4 2024-11-02 22:56:08
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,877
Re: Weird problem with makepkg
I'm almost certain this is intentional.
from pacman NEWS file
- Drop sudo permissions after use
See https://gitlab.archlinux.org/pacman/pac … quests/180 .
In theory this could lead to 4 times sudo requires a password entry with -sirc :
installing buildtime deps
installing runtime deps
removing all installed deps
installing the build packages.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#5 2024-11-02 23:05:54
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,540
- Website
Re: Weird problem with makepkg
You can set "PACMAN_AUTH='sudo' in makepkg.conf to stop that behaviour. But it does allow a rogue PKGBUILD to do what it wants...
Offline
#6 2024-11-03 09:32:07
- mvtab
- Member
- Registered: 2024-06-10
- Posts: 8
Re: Weird problem with makepkg
This is strictly makepkg related?
Yup, I only noticed it here at least. Every other sudo action works as expected.
I'm almost certain this is intentional.
The timeline does fit with when I started noticing it.
You can set "PACMAN_AUTH='sudo' in makepkg.conf to stop that behaviour. But it does allow a rogue PKGBUILD to do what it wants...
It's not disturbing me very much, I just couldn't figure it out and it was bugging me.
Thanks for the explanations guys, makes sense. At least now I know a little more what's up, I'll see how to handle it.
The problem might be in conjunction with makepkg starting to use isolation internally, I also saw a post about relevant recent makepkg updates but can't find it anymore.
Update:
Setting "PACMAN_AUTH=('sudo')" does fix the problem. What exactly are the implications of this? Doesn't makepkg try 'sudo' and 'su' anyway? And isn't 'sudo' basically safer than 'su'?
Last edited by mvtab (2024-11-03 09:53:50)
Haec inconstantia, mutabilitasque mentis, quem non ipsa grauitate deterreat?
Offline
#7 2024-11-03 12:56:13
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,540
- Website
Re: Weird problem with makepkg
Setting "PACMAN_AUTH=('sudo')" does fix the problem. What exactly are the implications of this? Doesn't makepkg try 'sudo' and 'su' anyway? And isn't 'sudo' basically safer than 'su'?
If a PKGBUILD has a sudo call inside it (or calls a script with a sudo call inside it), you will not be prompted for a password and thus may not notice what it is doing.
Offline
#8 2024-11-03 18:01:11
- mvtab
- Member
- Registered: 2024-06-10
- Posts: 8
Re: Weird problem with makepkg
If a PKGBUILD has a sudo call inside it (or calls a script with a sudo call inside it), you will not be prompted for a password and thus may not notice what it is doing.
I understand, so basically equivalent of running makepkg with sudo? Pretty hardcore.
Haec inconstantia, mutabilitasque mentis, quem non ipsa grauitate deterreat?
Offline
#9 2024-12-28 23:20:11
- jongeduard
- Member
- Registered: 2022-01-06
- Posts: 18
Re: Weird problem with makepkg
I'm almost certain this is intentional.
from pacman NEWS file
- Drop sudo permissions after use
See https://gitlab.archlinux.org/pacman/pac … quests/180 .
In theory this could lead to 4 times sudo requires a password entry with -sirc :
installing buildtime deps
installing runtime deps
removing all installed deps
installing the build packages.
Thanks for clarifying, because in my case this is actually a disruptive change, namely for my script which I use.
Every next updated AUR package now needs to have the password entered over again, since the script itself doesn't run as root, and only the actual installation of packages needs needed it.
I can probably fix it by doing a couple of things differently, but I just didn't expect this change.
Offline
#10 2024-12-29 11:29:26
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,877
Re: Weird problem with makepkg
It's intended to make pacman safer.
Unfortunately security and ease-of-use clash all the time and require a compromise .
The workaround of PACMAN_AUTH=('sudo')" makes this easier to use, but reduces the security.
You'll have to decide what is more important to you.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#11 2024-12-29 14:35:10
- seth
- Member
- Registered: 2012-09-03
- Posts: 65,078
Re: Weird problem with makepkg
The change just prevents pacman from kicking down the can the road.
Arguebly makepkg should™ run an emtpy "sudo -k" to completely prevent malicious PGKBUILDs seizing pre-present creds or "sudo -N pacman" to at least allow the use of pre-given ones (which but would infect the PKGBUILD!) for pacman.
Right now it looks like you've to issue sudo creds for pacman, but evil-PKGBUILD could seize any existing sudo creds (pot. depending on the sudo config for shell isolation) while lulling the user into believing everything's ok because pacman asks for passwords?
Unfortunately I've no really good idea how to allow the desired commands to live on the same creds but exclude everything else.
A third pot. mitigation would be to redefine sudo as "sudo -k" so a dumb attacker just running "sudo" would run into that, but oc. with the awareness of the condition that's trivial to bypass.
Lastly and rather disgustingly, makepkg could read the password into a variable and use it for various "sudo -S pacman … <<< $SUDO_PASSWORD" calls - the tricky part could be to hide that variable from the PKGBUILD scripts (subshell and env -u every call?) and of course it means to store the users (or roots) password in some shell variable what is typically frowned upon.
This however would also overcome the situation where the various build stages outlast the sudo timeout.
So… pick your poison?
Online
Pages: 1