LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 03-12-2014, 09:17 AM   #16
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,139

Original Poster
Rep: Reputation: 151Reputation: 151

I guess I will keep using sbopkg as root and any other local slackbuild I will run with fakeroot
 
Old 03-12-2014, 09:29 AM   #17
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,139
Blog Entries: 52

Rep: Reputation: Disabled
From http://slackbuilds.org/faq/#root
Quote:
Do I have to run the script as root?

Well, yes and no. The package must be built as root in order for the ownership and permissions to be set correctly (any usage of the chown command inside the script will fail otherwise), but you can certainly test a script by running it as a normal user. You might consider temporarily commenting any chown lines in the script if you're trying to test it as a normal user.
Don't bother whining about "security issues" or such from building as root. If you don't trust us to check the scripts for malicious activity, then please move along.
 
Old 03-12-2014, 09:31 AM   #18
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,902

Rep: Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963
Quote:
Originally Posted by moisespedro View Post
I guess I will keep using sbopkg as root and any other local slackbuild I will run with fakeroot
That's is what I am currently doing.
 
Old 03-12-2014, 10:12 AM   #19
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
I wouldn't go as far as to say "Don't ever build as root", but I would say that if you do, understand the risks and be prepared.


I agree with Rauri, fakeroot is a useful tool, but it's not a magic bullet. I took a different approach with some of my build scripts. My scripts are designed to run as non-root and do the unpack/configure/make/make install as a non-root user (sometimes the 'install' section of the makefile needs to be patched to take out any chown/chmods that it does - fakeroot would be another way of addressing this, but I tend to patch it out instead.) Then, at the end of the build script I call a wrapper around makepkg as root via sudo. Setting any special permissions that may be necessary is deferred until the package is installed by including specific chown/chmod in the doinst.sh script instead.

It can sometimes take a little extra effort to write the build scripts this way, but the majority of packages don't need any special permissions. It's not the standard slackware or SBO approach but it works for me, and avoids a lot of the dangers of building software with root.
 
Old 03-12-2014, 10:22 AM   #20
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
Quote:
Originally Posted by brianL View Post

I find the slackbuilds.org view on that somewhat missing the point. I trust slackbuilds.org scripts (Well, I still give them a once over before running them, but I expect not to find any maliciousness when I do). However, do the slackbuild.org guys check every line of that massive ./configure script monstrosity or the makefile from the upstream sources for any maliciousness? I'm guessing not, and neither do I as it would be far too much effort, but I'm not going to be running it as root either, if I can help it!

And it's not just maliciousness, genuine mistakes can be just as deadly.


It's not really that I don't want to run the build script as root that is the issue, its that I don't want to run the configure/make/make install as root.
 
1 members found this post helpful.
Old 03-12-2014, 10:48 AM   #21
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,902

Rep: Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963
I also have my own makepkg which alters the behaviour of -c, --chown such that when it is set to y it also changes file ownership to root:root. This allows me to have SlackBuilds that create root owned files packages as a regular user, without even using fakeroot.
 
1 members found this post helpful.
Old 03-12-2014, 10:51 AM   #22
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,902

Rep: Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963Reputation: 963
Quote:
Originally Posted by GazL View Post
It's not really that I don't want to run the build script as root that is the issue, its that I don't want to run the configure/make/make install as root.
This is certainly a fair point. Maybe I'll alter my behaviour after all. So far I have not had an issue (that I am aware of) but perhaps it is better to live cautious.
 
Old 03-12-2014, 11:15 AM   #23
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,139
Blog Entries: 52

Rep: Reputation: Disabled
And then there's this, from http://slackbuilds.org/howto/
Quote:
Step 3 - Execute the SlackBuild Script (as root)

Make the script executable with chmod if necessary:

chmod +x chemtool.SlackBuild

Then run the script:

./chemtool.SlackBuild

Note that for many builds, you will need to have a true login shell in order to have a correctly populated environment. Among other things, /usr/share/texmf/bin will not be in your PATH if you simply do "su" -- therefore, you will need to either use "su -l" when switching to root, or source the /etc/profile script after doing "su", or perhaps modifying /root/.bashrc to include necessary PATH elements.
I've always run SlackBuilds as root, using su -, no problems so far (touch wood, fingers crossed).
 
Old 03-12-2014, 11:46 AM   #24
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,384

Rep: Reputation: Disabled
Quote:
Originally Posted by MadMaverick9 View Post
Hope you learned your lesson from all this.

You never run a build script as root. Never.
I am sorry, but Slackware does not support the building of packages as non-root.
You do your homework first (as non-root user) to find out how the software configuration, compilation and installation works and to catch potential pitfalls, then you write a SlackBuild script and execute that as root.

Fakeroot and ruario's makepkg variant are helpful and perfectly acceptable, but your statement "never run a build script as root" is not the correct advice for Slackware. It is your opinion and you should probably mark it as such.

Eric
 
2 members found this post helpful.
Old 03-13-2014, 12:56 AM   #25
MadMaverick9
Member
 
Registered: Aug 2010
Location: Here
Distribution: Slackware 14.0
Posts: 147

Rep: Reputation: Disabled
Quote:
your statement "never run a build script as root" .... is your opinion
Yes - maybe I quoted this a little bit out of context.

But I resent this being perpetrated as my opinion.

This statement has been a best practice for Unix Sys Admins for 20+ years.

And this best practice is what I was taught 20+ years ago by people who were smarter than me.

Please read the install file from gnu autoconf for example:
Quote:
When installing into a prefix owned by root, it is recommended that the package be configured and built as a regular user, and only the 'make install' phase executed with root privileges.
If you want to put aside something that has been a best practice for 20+ years, that's of course your prerogative.

But please do not make it sound like this is my personal opinion.

PS: I purposely refrain from bolding certain words, even though I think they should be.
 
Old 03-13-2014, 03:43 AM   #26
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by MadMaverick9 View Post
...
And this best practice is what I was taught 20+ years ago by people who were smarter than me.
...
Things change over time. 20+ years ago we wanted less transistors and more R/C/Ls in circuits to reduce cost, now we want less R/C/Ls and more transistors for the same purpose.

Nowadays a careful organization should have separate build machines. You may also use Linux control groups to put root into a container.
 
Old 03-13-2014, 05:25 AM   #27
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,139
Blog Entries: 52

Rep: Reputation: Disabled
We're talking about two different things here. The need to run SlackBuilds as root, and the configure, make, make install, procedure where only make install should be done as root. That was obvious to me, did nobody else notice?
 
Old 03-13-2014, 05:54 AM   #28
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,384

Rep: Reputation: Disabled
Quote:
Originally Posted by MadMaverick9 View Post
Yes - maybe I quoted this a little bit out of context.

But I resent this being perpetrated as my opinion.

This statement has been a best practice for Unix Sys Admins for 20+ years.

And this best practice is what I was taught 20+ years ago by people who were smarter than me.

Please read the install file from gnu autoconf for example:

If you want to put aside something that has been a best practice for 20+ years, that's of course your prerogative.

But please do not make it sound like this is my personal opinion.

PS: I purposely refrain from bolding certain words, even though I think they should be.
I apologize if my response sounded too harsh.
Let me try to phrase it better.

There is a difference between using a build script (a SlackBuild in Slackware, a SPEC file in Redhat, a PKGBUILD script in Arch etc...) and compiling a piece of software by hand.
When you are manually compiling software and installing it into the system directories (even /usr/local) it does make sense to compile using your own user account and use root only for the final "make install" step. But even then, a "make install" can break your system no matter how careful you were with the compilation process.

A build script for the distro should be seen as the tested-and-tried recipe for the system administrator, which enables him to compile and install a piece of software in a controlled fashion. A build script which has been QA-ed should be run as root without ill effect. If software compiles differently when compiled as root, compared with a non-root user, then the writer of the build script must compensate for that.
It is a matter of trust levels. If you trust the person who created the build script, then you can run it as root. The Slackware community has a "web of trust" where there are some well-known sources of trusted SlackBuild scripts. I personally do not use any script which does not originate from one of the trusted sources.

Eric
 
3 members found this post helpful.
Old 03-13-2014, 06:38 AM   #29
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
Quote:
Originally Posted by brianL View Post
We're talking about two different things here. The need to run SlackBuilds as root, and the configure, make, make install, procedure where only make install should be done as root. That was obvious to me, did nobody else notice?
I disagree. We're talking about one thing: following the principle of least privilege in order to reduce the risk of accidental or malicious damage to the system on which the build script is running. In this case, it was a sloppily written slackbuild script that didn't "fail safe" that has prompted this discussion, but an error in the autotools scripts or makefile(s) can do just as much damage. Hell, even the 'tar -x' could be a problem if the tarball was created with '--absolute-names'.

The irony is that it's often the 'make install' that does the damage (most commonly, when the makefile author has missed a DESTDIR reference somewhere) and that's the bit that usually needs the most privilege.

Ideally the only thing you'd want to require running as root is the installpkg command. In the scheme I'm currently following, I still need root for the 'makepkg' (which is run via sudo), but if I stopped using makepkg and started to use tar directly (with '--owner=root' and '--group=root') then I could even remove the need for that, but I prefer to stick with using the official packaging tool for obvious reasons, despite its need for root.

Last edited by GazL; 03-13-2014 at 06:40 AM.
 
Old 03-13-2014, 12:14 PM   #30
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,139

Original Poster
Rep: Reputation: 151Reputation: 151
Edit: oops wrong thread

Last edited by moisespedro; 03-13-2014 at 12:19 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
switch to root user jlpeng Linux - Newbie 7 10-07-2013 03:13 AM
switch to root user bdavide Linux - Newbie 14 05-20-2008 08:44 PM
How do I switch to root user binarybob0001 Programming 4 11-26-2007 04:26 AM
How do you switch to root user barrythai Ubuntu 19 04-13-2007 12:55 PM
How switch root to another user? Xiangbuilder Linux - Newbie 1 09-15-2003 08:19 AM


All times are GMT -5. The time now is 06:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration