Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-12-2014, 09:17 AM
|
#16
|
Senior Member
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223
Original Poster
Rep:
|
I guess I will keep using sbopkg as root and any other local slackbuild I will run with fakeroot
|
|
|
03-12-2014, 09:29 AM
|
#17
|
LQ 5k Club
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware64 15; SlackwareARM-current (aarch64); Debian 12
Posts: 8,311
Rep:
|
From http://slackbuilds.org/faq/#root
Quote:
Do I have to run the script as root?
Well, yes and no. The package must be built as root in order for the ownership and permissions to be set correctly (any usage of the chown command inside the script will fail otherwise), but you can certainly test a script by running it as a normal user. You might consider temporarily commenting any chown lines in the script if you're trying to test it as a normal user.
Don't bother whining about "security issues" or such from building as root. If you don't trust us to check the scripts for malicious activity, then please move along.
|
|
|
|
03-12-2014, 09:31 AM
|
#18
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,559
|
Quote:
Originally Posted by moisespedro
I guess I will keep using sbopkg as root and any other local slackbuild I will run with fakeroot
|
That's is what I am currently doing.
|
|
|
03-12-2014, 10:12 AM
|
#19
|
LQ Veteran
Registered: May 2008
Posts: 7,106
|
I wouldn't go as far as to say "Don't ever build as root", but I would say that if you do, understand the risks and be prepared.
I agree with Rauri, fakeroot is a useful tool, but it's not a magic bullet. I took a different approach with some of my build scripts. My scripts are designed to run as non-root and do the unpack/configure/make/make install as a non-root user (sometimes the 'install' section of the makefile needs to be patched to take out any chown/chmods that it does - fakeroot would be another way of addressing this, but I tend to patch it out instead.) Then, at the end of the build script I call a wrapper around makepkg as root via sudo. Setting any special permissions that may be necessary is deferred until the package is installed by including specific chown/chmod in the doinst.sh script instead.
It can sometimes take a little extra effort to write the build scripts this way, but the majority of packages don't need any special permissions. It's not the standard slackware or SBO approach but it works for me, and avoids a lot of the dangers of building software with root.
|
|
|
03-12-2014, 10:22 AM
|
#20
|
LQ Veteran
Registered: May 2008
Posts: 7,106
|
Quote:
Originally Posted by brianL
|
I find the slackbuilds.org view on that somewhat missing the point. I trust slackbuilds.org scripts (Well, I still give them a once over before running them, but I expect not to find any maliciousness when I do). However, do the slackbuild.org guys check every line of that massive ./configure script monstrosity or the makefile from the upstream sources for any maliciousness? I'm guessing not, and neither do I as it would be far too much effort, but I'm not going to be running it as root either, if I can help it!
And it's not just maliciousness, genuine mistakes can be just as deadly.
It's not really that I don't want to run the build script as root that is the issue, its that I don't want to run the configure/make/make install as root.
|
|
1 members found this post helpful.
|
03-12-2014, 10:48 AM
|
#21
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,559
|
I also have my own makepkg which alters the behaviour of -c, --chown such that when it is set to y it also changes file ownership to root:root. This allows me to have SlackBuilds that create root owned files packages as a regular user, without even using fakeroot.
|
|
1 members found this post helpful.
|
03-12-2014, 10:51 AM
|
#22
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,559
|
Quote:
Originally Posted by GazL
It's not really that I don't want to run the build script as root that is the issue, its that I don't want to run the configure/make/make install as root.
|
This is certainly a fair point. Maybe I'll alter my behaviour after all. So far I have not had an issue (that I am aware of) but perhaps it is better to live cautious.
|
|
|
03-12-2014, 11:15 AM
|
#23
|
LQ 5k Club
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware64 15; SlackwareARM-current (aarch64); Debian 12
Posts: 8,311
Rep:
|
And then there's this, from http://slackbuilds.org/howto/
Quote:
Step 3 - Execute the SlackBuild Script (as root)
Make the script executable with chmod if necessary:
chmod +x chemtool.SlackBuild
Then run the script:
./chemtool.SlackBuild
Note that for many builds, you will need to have a true login shell in order to have a correctly populated environment. Among other things, /usr/share/texmf/bin will not be in your PATH if you simply do "su" -- therefore, you will need to either use "su -l" when switching to root, or source the /etc/profile script after doing "su", or perhaps modifying /root/.bashrc to include necessary PATH elements.
|
I've always run SlackBuilds as root, using su -, no problems so far (touch wood, fingers crossed).
|
|
|
03-12-2014, 11:46 AM
|
#24
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Quote:
Originally Posted by MadMaverick9
Hope you learned your lesson from all this.
You never run a build script as root. Never.
|
I am sorry, but Slackware does not support the building of packages as non-root.
You do your homework first (as non-root user) to find out how the software configuration, compilation and installation works and to catch potential pitfalls, then you write a SlackBuild script and execute that as root.
Fakeroot and ruario's makepkg variant are helpful and perfectly acceptable, but your statement " never run a build script as root" is not the correct advice for Slackware. It is your opinion and you should probably mark it as such.
Eric
|
|
2 members found this post helpful.
|
03-13-2014, 12:56 AM
|
#25
|
Member
Registered: Aug 2010
Posts: 353
Rep:
|
Quote:
your statement "never run a build script as root" .... is your opinion
|
Yes - maybe I quoted this a little bit out of context.
But I resent this being perpetrated as my opinion.
This statement has been a best practice for Unix Sys Admins for 20+ years.
And this best practice is what I was taught 20+ years ago by people who were smarter than me.
Please read the install file from gnu autoconf for example:
Quote:
When installing into a prefix owned by root, it is recommended that the package be configured and built as a regular user, and only the 'make install' phase executed with root privileges.
|
If you want to put aside something that has been a best practice for 20+ years, that's of course your prerogative.
But please do not make it sound like this is my personal opinion.
PS: I purposely refrain from bolding certain words, even though I think they should be.
|
|
|
03-13-2014, 03:43 AM
|
#26
|
Senior Member
Registered: Dec 2008
Posts: 1,191
|
Quote:
Originally Posted by MadMaverick9
...
And this best practice is what I was taught 20+ years ago by people who were smarter than me.
...
|
Things change over time. 20+ years ago we wanted less transistors and more R/C/Ls in circuits to reduce cost, now we want less R/C/Ls and more transistors for the same purpose.
Nowadays a careful organization should have separate build machines. You may also use Linux control groups to put root into a container.
|
|
|
03-13-2014, 05:25 AM
|
#27
|
LQ 5k Club
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware64 15; SlackwareARM-current (aarch64); Debian 12
Posts: 8,311
Rep:
|
We're talking about two different things here. The need to run SlackBuilds as root, and the configure, make, make install, procedure where only make install should be done as root. That was obvious to me, did nobody else notice?
|
|
|
03-13-2014, 05:54 AM
|
#28
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Quote:
Originally Posted by MadMaverick9
Yes - maybe I quoted this a little bit out of context.
But I resent this being perpetrated as my opinion.
This statement has been a best practice for Unix Sys Admins for 20+ years.
And this best practice is what I was taught 20+ years ago by people who were smarter than me.
Please read the install file from gnu autoconf for example:
If you want to put aside something that has been a best practice for 20+ years, that's of course your prerogative.
But please do not make it sound like this is my personal opinion.
PS: I purposely refrain from bolding certain words, even though I think they should be.
|
I apologize if my response sounded too harsh.
Let me try to phrase it better.
There is a difference between using a build script (a SlackBuild in Slackware, a SPEC file in Redhat, a PKGBUILD script in Arch etc...) and compiling a piece of software by hand.
When you are manually compiling software and installing it into the system directories (even /usr/local) it does make sense to compile using your own user account and use root only for the final "make install" step. But even then, a "make install" can break your system no matter how careful you were with the compilation process.
A build script for the distro should be seen as the tested-and-tried recipe for the system administrator, which enables him to compile and install a piece of software in a controlled fashion. A build script which has been QA-ed should be run as root without ill effect. If software compiles differently when compiled as root, compared with a non-root user, then the writer of the build script must compensate for that.
It is a matter of trust levels. If you trust the person who created the build script, then you can run it as root. The Slackware community has a "web of trust" where there are some well-known sources of trusted SlackBuild scripts. I personally do not use any script which does not originate from one of the trusted sources.
Eric
|
|
3 members found this post helpful.
|
03-13-2014, 06:38 AM
|
#29
|
LQ Veteran
Registered: May 2008
Posts: 7,106
|
Quote:
Originally Posted by brianL
We're talking about two different things here. The need to run SlackBuilds as root, and the configure, make, make install, procedure where only make install should be done as root. That was obvious to me, did nobody else notice?
|
I disagree. We're talking about one thing: following the principle of least privilege in order to reduce the risk of accidental or malicious damage to the system on which the build script is running. In this case, it was a sloppily written slackbuild script that didn't "fail safe" that has prompted this discussion, but an error in the autotools scripts or makefile(s) can do just as much damage. Hell, even the 'tar -x' could be a problem if the tarball was created with '--absolute-names'.
The irony is that it's often the 'make install' that does the damage (most commonly, when the makefile author has missed a DESTDIR reference somewhere) and that's the bit that usually needs the most privilege.
Ideally the only thing you'd want to require running as root is the installpkg command. In the scheme I'm currently following, I still need root for the 'makepkg' (which is run via sudo), but if I stopped using makepkg and started to use tar directly (with '--owner=root' and '--group=root') then I could even remove the need for that, but I prefer to stick with using the official packaging tool for obvious reasons, despite its need for root.
Last edited by GazL; 03-13-2014 at 06:40 AM.
|
|
|
03-13-2014, 12:14 PM
|
#30
|
Senior Member
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223
Original Poster
Rep:
|
Edit: oops wrong thread
Last edited by moisespedro; 03-13-2014 at 12:19 PM.
|
|
|
All times are GMT -5. The time now is 08:45 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|