Cannot use download-only (-Syw) with custom cache dir

silverwolf · 2025-04-11 16:45:33

Hello! I am trying to execute

pacman --noconfirm -Syw --cachedir ./cache/ --dbpath ./db/ - < list.txt

However, I noticed that I keep getting permission related errors unless I comment out DownloadUser = alpm.

I didn't use the command after pacman 7 was released but apparently now my script that has this command doesn't work at all.
I tried searching around and the only thing that I could find is some forum post where someone found a workaround by commenting out DownloadUser, also tried executing command as root by switching to root via su - root.

Anything else I could do to keep DownloadUser set to alpm for both updating my local arch installation and downloading packages in a separate directory?

$ pacman -Syw --cachedir ./cache/ --dbpath ./db/ linux base --debug

debug: pacman v7.0.0 - libalpm v15.0.0
debug: config: new section 'options'
debug: config: HoldPkg: pacman
debug: config: HoldPkg: glibc
debug: config: Architecture: auto
debug: config: arch: x86_64
debug: config: sandboxuser: alpm
debug: config: SigLevel: Required
debug: config: SigLevel: DatabaseOptional
debug: config: LocalFileSigLevel: Optional
debug: config: new section 'core'
debug: config file /etc/pacman.conf, line 78: including /etc/pacman.d/mirrorlist
debug: config: new section 'extra'
debug: config file /etc/pacman.conf, line 84: including /etc/pacman.d/mirrorlist
debug: config: finished parsing /etc/pacman.conf
debug: setup_libalpm called
debug: option 'logfile' = /var/log/pacman.log
debug: option 'gpgdir' = /etc/pacman.d/gnupg/
debug: option 'hookdir' = /etc/pacman.d/hooks/
debug: option 'cachedir' = ./cache/
debug: registering sync database 'core'
debug: database path for tree core set to /home/REDACTED/Backup/db/sync/core.db
debug: "/home/REDACTED/Backup/db/sync/core.db" is not readable: No such file or directory
debug: setting usage of 15 for core repository
debug: adding new server URL to database 'core': https://REDACTED/archlinux/core/os/x86_64
debug: registering sync database 'extra'
debug: database path for tree extra set to /home/REDACTED/Backup/db/sync/extra.db
debug: "/home/REDACTED/Backup/db/sync/extra.db" is not readable: No such file or directory
debug: setting usage of 15 for extra repository
debug: adding new server URL to database 'extra': https://REDACTED/archlinux/extra/os/x86_64
debug: option 'sandboxuser' = alpm
:: Synchronizing package databases...
debug: filesystem access has been restricted to /home/REDACTED/Backup/db/sync/download-lGyBdi/, landlock ABI is 6
debug: core.db: url is https://REDACTED/archlinux/core/os/x86_64/core.db
debug: core.db: maxsize 134217728
error: could not open file /home/REDACTED/Backup/db/sync/download-lGyBdi/core.db.part: Permission denied
debug: got error 48 at curl_add_payload (../lib/libalpm/dload.c: 797) : failed to retrieve some files
error: failed to setup a download payload for core.db
debug: curl_download_internal return code is -1
debug: failed to sync dbs: failed to retrieve some files
error: failed to synchronize all databases (failed to retrieve some files)
debug: unregistering database 'local'
debug: unregistering database 'core'
debug: unregistering database 'extra'

Scimmia · 2025-04-11 16:47:39

Another one. Once again, stop trying to put things like this in your home dir!

silverwolf · 2025-04-11 16:50:47

Scimmia wrote:

Another one. Once again, stop trying to put things like this in your home dir!

I mean, it's not a problem to move it, but to where should I move it all?

silverwolf · 2025-04-11 16:54:01

Also, for reference, I was following Custom local repository wiki page

seth · 2025-04-11 21:42:21

That doesn't instruct you to use your $HOME, it's just being used in an example.
Whereever you put it, the alpm user needs to have access to that path, that implies writing access to the target directory and execution (entering/traversal) rights to each of its parents.
You can also use bind-mounts to facilitate this, https://bbs.archlinux.org/viewtopic.php?id=299394

NuSkool · 2025-04-12 17:38:25

silverwolf wrote:

Hello! I am trying to execute

pacman --noconfirm -Syw --cachedir ./cache/ --dbpath ./db/ - < list.txt

EDIT: Missed the '--dbpath' in your command, never mind partial update warning....

Last edited by NuSkool (2025-04-12 17:52:50)

silverwolf · 2025-04-14 20:10:35

seth wrote:

That doesn't instruct you to use your $HOME, it's just being used in an example.
Whereever you put it, the alpm user needs to have access to that path, that implies writing access to the target directory and execution (entering/traversal) rights to each of its parents.
You can also use bind-mounts to facilitate this, https://bbs.archlinux.org/viewtopic.php?id=299394

Oh, thank you!

Searched a bit for bind mounts, they could solve the problem, but from what I understand that still requires me to create some root level directory which I don't like for my use case and it feels a bit extreme just for dumping my entire packages into .iso and .tar.gz.
To be really honest, I wish pacman had some way of straight up downloading packages like Fedora's dnf download, would've saved a lot of headache here.

For now I'll just rewrite my script to use /tmp and do some chown -R :alpm for the working directory of my script.
Btw, it seems like you have to use absolute paths in the pacman -Syw command, relative paths won't work and still throw a permission error.

I'm not too sure about the processes here, but maybe the Wiki guide I linked above should have some kind of warning telling you about this whole alpm user thing.

seth · 2025-04-14 20:47:40

I wish pacman had some way of straight up downloading packages

-Sw? You can --disable-sandbox

silverwolf · 2025-04-14 21:13:36

seth wrote:

I wish pacman had some way of straight up downloading packages
-Sw? You can --disable-sandbox

Hm, maybe I have misunderstood you? But I'm pretty sure that's what I'm already doing and that still kind of requires me to use custom cache directory where the packages would go, which also require me to deal with alpm permissions (disable sandbox flag doesn't help). I was rather referring to

dnf download

on Fedora and how it works without even really needing to be executed as root, pacman is different however and of course kind of different steps are needed to achieve the same results, unless I missed something again or didn't know about the way pacman works

NuSkool · 2025-04-15 02:16:09

You want to try this, or perhaps just pull what you want from it?
This thread motivated me to revisit/revise an old script from my collection.
Then reset old unneeded permission/ACL settings on home dir back to default.

You shouldn't need to mess with pacman.config and can use it within $HOME.

#!/bin/bash
# pppc (pacman portable pkg cache) 2025-04-16
# Depends: paccat
# Downloads packages into 'Package' directory and creates 'Packages.tar' archive.
# Run inside an empty directory. Run multiple times to add pkgs.
# Usage:  pppc <packages>
# Example: pppc base base-devel

set -eu
path="$(pwd)/Packages"

if	[[ ! -d Packages ]]; then
	mkdir Packages
fi
	cd Packages || exit

if	[[ ! -e  .pacman.conf ]]; then
	paccat pacman -- pacman.conf >                        "${path}"/.pacman.conf
	sed -i 's/^#ParallelDownloads/ParallelDownloads/'     "${path}"/.pacman.conf
	sed -i "s/^DownloadUser = alpm/DownloadUser = $USER/" "${path}"/.pacman.conf
fi
	sudo pacman -Syw                              \
                    --noconfirm                       \
                    --needed                          \
                    --config   "${path}"/.pacman.conf \
                    --cachedir "${path}"              \
                    --dbpath   "${path}"              \
                    "${@}"
	cd ..
	tar -cf  Packages.tar  Packages

Yep, pacman being minimalistic just might be a design priority. A smaller, simplified code base would fall right into Arch's philosophy AFAIK.

EDIT: updated script

Last edited by NuSkool (Yesterday 23:24:11)

seth · 2025-04-15 07:24:57

Did you set the DownloadUser again?
You /will/ have to get/use an updated database, otherwise you either don't know the package url or will run 404.

You can download individual packages in complete isolation, essentially abusing the web service - what's the point of this?

NuSkool · 2025-04-15 17:21:31

The pacman.conf is created and used by the script only, resides within the run dir, and is prefixed with a '.' so it won't effect the host system unless specifically called.
Therefore I didn't reset DownloadUser back to default. I suppose deleting it after use would be better though?

The DB's are created during use. It doesn't get url 404's and does work.

The script was an old (predated pacman 7), unfinished concept to create a populated pacman repo for use during offline installation.
ie: Using the official Arch install iso, have pacman use this repo installed on portable media, via pacman operations/options.
I never got past the, 'it works' (downloads packages and creates the DB's) stage though.

I disagree with the 'abusing the web service'.
After all, used for an offline install or in a custom iso, the packages are still being used for an Arch install, only the timing of fetching packages is different.

seth · 2025-04-15 18:12:57

Sorry for the confusion - I wasn't commenting on your post or script at all.

Allan · Yesterday 01:27:10

Did using the --disable-sandbox flag not work?

seth · Yesterday 06:29:15

Anything else I could do to keep DownloadUser set to alpm for both updating my local arch installation and downloading packages in a separate directory?

https://gitlab.archlinux.org/pacman/pacman/-/issues/216
Is DisableSandbox supposed to clear/UID0 the DownloadUser ?
https://gitlab.archlinux.org/pacman/pac … ad.c#L1192 hinges on sandboxuser, not handle->disable_sandbox

silverwolf · Yesterday 13:41:01

Allan wrote:

Did using the --disable-sandbox flag not work?

Is it supposed to work while DownloadUser is set to alpm?

$ cd /tmp
$ mkdir foobar
$ cd foobar
$ mkdir -p {db,cache}
$ sudo pacman -Syw --cachedir ./cache --dbpath ./db --disable-sandbox linux

I might be using the flag at the wrong part of the command? It kinda of seems like it's not applied judging by first lines of debug output

debug: pacman v7.0.0 - libalpm v15.0.0
debug: config: new section 'options'
debug: config: HoldPkg: pacman
debug: config: HoldPkg: glibc
debug: config: Architecture: auto
debug: config: arch: x86_64
debug: config: sandboxuser: alpm
debug: config: SigLevel: Required
debug: config: SigLevel: DatabaseOptional
debug: config: LocalFileSigLevel: Optional

this still results in an error, also noticed these errors in debug output

debug: returning error 33 from alpm_db_get_pkg (../lib/libalpm/db.c: 316) : could not find or read package
debug: setting download size 145817859 for pkg linux

debug: returning error 33 from alpm_db_get_pkg (../lib/libalpm/db.c: 316) : could not find or read package

error: could not open file ./cache/download-X0uVJx/linux-6.14.2.arch1-1-x86_64.pkg.tar.zst.part: No such file or directory
debug: got error 48 at curl_add_payload (../lib/libalpm/dload.c: 797) : failed to retrieve some files
error: failed to setup a download payload for linux-6.14.2.arch1-1-x86_64.pkg.tar.zst
debug: curl_download_internal return code is -1
warning: failed to retrieve some files
error: failed to commit transaction (failed to retrieve some files)

just some bits from the output, the "returning error 33" lines appear quite a lot, the output itself is giant wall of text tho

silverwolf · Yesterday 13:44:14

oh huh, kinda interesting, seems like you're supposed to use absolute paths, because this command worked just fine even with DownloadUser = alpm

sudo pacman -Syw --cachedir /tmp/foobar/cache --dbpath /tmp/foobar/db --disable-sandbox linux

I'm not exactly an expert, but maybe it's a bug? Call me delusional but I remember using my script before pacman v7 and it worked fine with relative paths, unfortunately I didn't publish the script on git, so I can't even verify it

Last edited by silverwolf (Yesterday 13:46:10)

silverwolf · Yesterday 13:53:37

NuSkool wrote:

You want to try this, or perhaps just pull what you want from it?
This thread motivated me to revisit/revise an old script from my collection.
Then reset old unneeded permission/ACL settings on home dir back to default.
You shouldn't need to mess with pacman.config and can use it within $HOME.

Thanks for sharing! It'll definitely be useful.

Also, I figured maybe people would want to the script I'm mentioning here, here it is, although it might not be ideal, it works. I still had to create a separate directory in the root tho, because /tmp is way too small (yep, I wasn't aware of it until now).
The script itself reads list.txt with package list, list.txt should be located next to the script file. You might want to add a clean up step after creating .iso and .tar.gz so that you don't have x3 packages data stored on your drive.

#!/bin/bash

# Permission check
if [ "$EUID" -ne 0 ]; then
    echo "Please run as root"
    exit 1
fi

original_dir=$(pwd)
timestamp=$(date +"%Y-%m-%d_%H-%M-%S")
temp_dir_name="package-dump-${timestamp}"
temp_dir="/my-pacman-dumps/${temp_dir_name}"

# Check if list.txt exists in original directory
if [ ! -f "${original_dir}/list.txt" ]; then
    echo "File list.txt does not exist in ${original_dir}. Exiting."
    exit 1
fi

mkdir -p "${temp_dir}"
echo "Created directory: ${temp_dir}"

# Change working directory to temp_dir
cd "${temp_dir}" || { echo "Failed to change directory to ${temp_dir}"; exit 1; }

cache_dir="$(pwd)/cache"
db_dir="$(pwd)/db"

if [ ! -d "${cache_dir}" ]; then
    mkdir "${cache_dir}"
    echo "Created directory: ${cache_dir}"
else
    echo "Directory cache already exists"
fi

if [ ! -d "${db_dir}" ]; then
    mkdir "${db_dir}"
    echo "Created directory: ${db_dir}"
else
    echo "Directory db already exists"
fi

# allow alpm to use the folder
sudo chown -R alpm:alpm ${temp_dir}

if ! sudo pacman --noconfirm -Syw --cachedir ${cache_dir} --dbpath ${db_dir} - < "${original_dir}/list.txt"; then
    echo "pacman command failed. Exiting."
    exit 1
fi

# Create custom pacman repository
cd cache || { echo "Failed to change directory to cache"; exit 1; }
sudo repo-add ./custom.db.tar.zst ./*.pkg.tar.zst
cd ..

# Create tar.gz archive
tar_filename="${temp_dir_name}.tar.gz"
tar -czvf "${original_dir}/${tar_filename}" cache db
echo "Created tar.gz archive: ${original_dir}/${tar_filename}"

# Create ISO file
iso_filename="${temp_dir_name}.iso"
if ! sudo mkisofs -o "${original_dir}/${iso_filename}" -R -J -joliet-long ${temp_dir}; then
    echo "Failed to make iso. Exiting."
    exit 1
fi

sudo chown "$USER":"$USER" "${original_dir}/${iso_filename}"
sudo chown "$USER":"$USER" "${original_dir}/${tar_filename}"

echo " "
echo "Done. Archives created:"
echo " - ${original_dir}/${tar_filename}"
echo " - ${original_dir}/${iso_filename}"
echo " "

seth · Yesterday 13:55:01

silverwolf wrote:

Btw, it seems like you have to use absolute paths in the pacman -Syw command, relative paths won't work and still throw a permission error.

Sure nothing else changed w/ your latest attempt?

The manpage however clearly states that it has to be an absolute path, https://man.archlinux.org/man/core/pacm … en#OPTIONS
No idea whether that has changed but there was no sandboxing < 7.0

silverwolf · Yesterday 18:57:21

seth wrote:

Sure nothing else changed w/ your latest attempt?
The manpage however clearly states that it has to be an absolute path, https://man.archlinux.org/man/core/pacm … en#OPTIONS
No idea whether that has changed but there was no sandboxing < 7.0

Yeah I'm pretty sure I didn't touch my pacman config since I created this thread, although honestly never noticed the absolute paths part before huh, I suppose everything works as intended then.
Although if you use pacman -S --help, it doesn't say anything about absolute paths, and I usually look at these instead of man pages tbh.

pacman -S --help
usage:  pacman {-S --sync} [options] [package(s)]
options:
  -b, --dbpath <path>  set an alternate database location
  -c, --clean          remove old packages from cache directory (-cc for all)
  -d, --nodeps         skip dependency version checks (-dd to skip all checks)
  -g, --groups         view all members of a package group
                       (-gg to view all groups and members)
  -i, --info           view package information (-ii for extended information)
  -l, --list <repo>    view a list of packages in a repo
  -p, --print          print the targets instead of performing the operation
  -q, --quiet          show less information for query and search
  -r, --root <path>    set an alternate installation root
  -s, --search <regex> search remote repositories for matching strings
  -u, --sysupgrade     upgrade installed packages (-uu enables downgrades)
  -v, --verbose        be verbose
  -w, --downloadonly   download packages but do not install/upgrade anything
  -y, --refresh        download fresh package databases from the server
                       (-yy to force a refresh even if up to date)
      --arch <arch>    set an alternate architecture
      --asdeps         install packages as non-explicitly installed
      --asexplicit     install packages as explicitly installed
      --assume-installed <package=version>
                       add a virtual package to satisfy dependencies
      --cachedir <dir> set an alternate package cache location
      --color <when>   colorize the output
      --config <path>  set an alternate configuration file
      --confirm        always ask for confirmation
      --dbonly         only modify database entries, not package files
      --debug          display debug messages
      --disable-download-timeout
                       use relaxed timeouts for download
      --disable-sandbox
                       disable the sandbox used for the downloader process
      --gpgdir <path>  set an alternate home directory for GnuPG
      --hookdir <dir>  set an alternate hook location
      --ignore <pkg>   ignore a package upgrade (can be used more than once)
      --ignoregroup <grp>
                       ignore a group upgrade (can be used more than once)
      --logfile <path> set an alternate log file
      --needed         do not reinstall up to date packages
      --noconfirm      do not ask for any confirmation
      --noprogressbar  do not show a progress bar when downloading files
      --noscriptlet    do not execute the install scriptlet if one exists
      --overwrite <glob>
                       overwrite conflicting files (can be used more than once)
      --print-format <string>
                       specify how the targets should be printed
      --sysroot        operate on a mounted guest system (root-only)

NuSkool · Today 00:29:35

Did using the --disable-sandbox flag not work?

@ Allan It doesn't work for my script, either using option '--disable-sandboxor' or uncommenting in pacman.config.
I'm working within $HOME, and getting the following error:

$ pppc base
:: Synchronizing package databases...
error: could not open file /home/jeff/Testing/5-Remote-pacman-repo/Packages/sync/download-kXWazm/core.db.part: Permission denied
error: failed to setup a download payload for core.db
error: failed to synchronize all databases (failed to retrieve some files)

What does work is:

sed -i "s/^DownloadUser = alpm/DownloadUser = $USER/"	.pacman.conf'

Can anyone elaborate on:

Another one. Once again, stop trying to put things like this in your home dir!

What other issues are potentially created by having a pacman cache, etc under HOME other than pacman 7 sandboxing not working with default config?
Is changing DownloadUser to USER an issue for these types of use cases? For all use cases?

My post history will show I've been trying to learn more about this since pacman 7 was released.
Although I've figured out how to work around the changes, perhaps knowing why it now "seems strongly discouraged" would be useful for everyone not knowing why?

seth · Today 07:11:12

What other issues are potentially created by having a pacman cache, etc under HOME other than pacman 7 sandboxing not working with default config?

None, but it forces you to give up on the sandbox or weaken the access rights to your $HOME - and there's little reason to put the packages in your $HOME as they're system - not user data.

You can

wget --trust-server-names 'https://archlinux.org/packages/$REPO/x86_64/$PACKAGE/download/'

to fetch a single package w/o any context, database, whatever (it's like clicking on the download link on packages.archlinux.org) but that's oc. not useful for any system maintainence (but if you want to look at a file inside the package w/o actually installing it)

Arch Linux

#1 2025-04-11 16:45:33

Cannot use download-only (-Syw) with custom cache dir

#2 2025-04-11 16:47:39

Re: Cannot use download-only (-Syw) with custom cache dir

#3 2025-04-11 16:50:47

Re: Cannot use download-only (-Syw) with custom cache dir

#4 2025-04-11 16:54:01

Re: Cannot use download-only (-Syw) with custom cache dir

#5 2025-04-11 21:42:21

Re: Cannot use download-only (-Syw) with custom cache dir

#6 2025-04-12 17:38:25

Re: Cannot use download-only (-Syw) with custom cache dir

#7 2025-04-14 20:10:35

Re: Cannot use download-only (-Syw) with custom cache dir

#8 2025-04-14 20:47:40

Re: Cannot use download-only (-Syw) with custom cache dir

#9 2025-04-14 21:13:36

Re: Cannot use download-only (-Syw) with custom cache dir

#10 2025-04-15 02:16:09

Re: Cannot use download-only (-Syw) with custom cache dir

#11 2025-04-15 07:24:57

Re: Cannot use download-only (-Syw) with custom cache dir

#12 2025-04-15 17:21:31

Re: Cannot use download-only (-Syw) with custom cache dir

#13 2025-04-15 18:12:57

Re: Cannot use download-only (-Syw) with custom cache dir

#14 Yesterday 01:27:10

Re: Cannot use download-only (-Syw) with custom cache dir

#15 Yesterday 06:29:15

Re: Cannot use download-only (-Syw) with custom cache dir

#16 Yesterday 13:41:01

Re: Cannot use download-only (-Syw) with custom cache dir

#17 Yesterday 13:44:14

Re: Cannot use download-only (-Syw) with custom cache dir

#18 Yesterday 13:53:37

Re: Cannot use download-only (-Syw) with custom cache dir

#19 Yesterday 13:55:01

Re: Cannot use download-only (-Syw) with custom cache dir

#20 Yesterday 18:57:21

Re: Cannot use download-only (-Syw) with custom cache dir

#21 Today 00:29:35

Re: Cannot use download-only (-Syw) with custom cache dir

#22 Today 07:11:12

Re: Cannot use download-only (-Syw) with custom cache dir

Board footer