You are not logged in.
I'm faced with an annoying problem. I can't find a way to provide root authentication at the beginning of a makepkg build process without running makepkg as root.
The problem is that I want to be able to build packages (in a script) and have them compile and install without my having to be bothered again. But if I don't run the script as root, makepkg -i will ask for root authentication at the very end of the build just before installation. The really annoying thing is that it will only wait five minutes before timing out and giving a "pam_authentication: communication error". This is annoying when I set things to compile and then leave for a while.
And no, I don't want to set up sudoers to allow pacman to run password free for my account.
The best solution I can think of is creating a dummy user for nothing but pacman installs and then su'ing to that user at the beginning of the script and then doing the build and install as that user.
Any better ideas? I don't like that one and its not portable if I wanted to distribute my script.
My other idea is to run the script as root, but drop priviledges for the build process and take them back only for the install. But with that I have no way of knowing which user invoked the switch to root because both UID and EUID get reset to 0. Any ideas on how to do this to work would be nice.
Offline
Do you have fakeroot installed? You don't have to be root in order to run makepkg. If you have to, then something's screwy with the PKGBUILD and you shouldn't be making it.
Just curious: you'd rather set up a separate user that you will su to instead of just setting up sudo and typing in your password for root privileges before pacman commands?
"pam_authentication: communication error" usually occurs for me when I don't put in my password for sudo after a little while.
If I'm way off then I apologize. I'm not sure I understand what exactly is going on.
Offline
makepkg doesn't require root privledges, but the installation of a package does. I can either use pacman or makepkg -i, but either way I need to escalate to root, and either way that root escalation doesn't occur until after the build process, at which point I may not be around. And if I'm not around, the prompt will only wait for five minutes before timing out.
I have fakeroot, but I need to actually install the package, only real root priv's will do.
The big thing here is if my script builds, say, five packages and I'm not around when each one completes (I usually wait for night / leave of absense to do major compiling) then I have to come back and manually install each package. It could be worse, but I'd like to be able to clear any authentication needs up front and have the script hum along as necessary while I'm gone.
Offline
Well, if you think about what installing a package actually does, you'll see that you're editing directories and files within the filesystem that you as a regular user do not have privileges to edit. In my opinion, you'd either need to be root, use sudo (as you suggested above) to run pacman without a password, or install everything to your home directory, which you, the normal user, have complete control over.
I could be wrong, but if no one else posts, this is probably fairly accurate info.
Offline
Right. The problem is in becoming root. I want my script to have root priv's at the end, for installation, but not during the build process. I want the script to execute with normal privs, but then get root privs at the end without prompting for a password.
That's why I think that dropping priviledges to the original user would be the easiest thing to do. But I don't know what user invoked the script if it's run via sudo.
Offline
Can't you do that with sudo?
As in, make a NOPASSWD for pacman for your user or some such?
EDIT: typo
Last edited by klixon (2008-07-01 21:00:21)
Stand back, intruder, or i'll blast you out of space! I am Klixon and I don't want any dealings with you human lifeforms. I'm a cyborg!
Offline
Yes, I could, but (as stated above) I don't want to do that for my normal user. I could do it for another user and su to that user for the install, but that wouldn't be portable to other machines.
Last edited by B-Con (2008-07-01 21:27:43)
Offline
How about:
+ Login as root
+ Use sudo/su to run makepkg as a normal user
+ Then run Pacman -U (as root)
If I understand you right, the problem is using the correct "normal user" in step 2. Perhaps you could store the output of `whoami`in a variable before escalating to root?
Along the lines of (not tested, probably won't work as is):
#/bin/bash
user=`whoami`
su #You now enter the root password, at the beginning of the script
su -c "$user" makepkg pkg
pacman -U pkg
exit # Don't leave a root shell lying arround
Sorry if you have already thought of this, it's rather late over here.
~Jack
Offline
True, that would work.
So I would force the user to NOT run the script as root, then get their username and immediately get root priviledges. There're many commands aside from makepkg that I don't want to run as root, though, so what I could do is immediately su to root, then su back to the original user, do all my stuff then exit the original user's subshell to get back to the root shell, then exit out of the root shell back into the script, then exit.
Kind of hack-ish, spawning two subshells just for this one feature, but I think I'll do it, unless anyone has any better ideas.
Offline
It would be more complicated, but could you fork off a separate process to run as root, and leave one running as normal user? If they can comunicate (named pipes?) the normal user one could send state information to the root one, so the root script knows when to run commands.
Depending on your paranoia level, you would have to be careful to make sure no-one else managed to write something into your pipe to exploit the root script. As long as you just sent simple numeric state codes over it, not commands to be executed, it shouldn't be too bad.
That would remove the nested subshells thing, but introduce extra processes.
P.S. I am a bit out of my depth here, so any or all of the above may be wrong.
~Jack
Offline
That's actually a good idea.
To ensure a secure pipe, I could establish a random, shared key at the beginning of the session and use that to validate communication through the pipe (I only have three variable to send through it, so its not too big a deal). I have no experience writing secure pipes, though, so I don't know if any better means exist.
It would create two processes instead of one, but with the subshells I would already be using three proccesses, so this method is actually better.
I might just try this, once I can get back to coding.
Offline
For the record, I thought of another way. One could start a sudo session in the beginning, then fork a process into the background that continuously updates the sudo timestamp via sudo -v, that way the session doesn't expire. The problem with that is that it that it means one's sudo session must be active for as long as the program is compiling/installing, which is less than ideal, especially for very long compile jobs. Also, if the user kills their sudo session anywhere else (such as via sudo -k) then this will no longer work.
It would work something like this:
while [ 1 ] ; do
sudo -v
sleep 200
done &
[...]
sudo pacman -U filename.pkg.tar.gz
Last edited by B-Con (2008-07-08 18:22:46)
Offline