[pacman-dev] [PATCH WIP] Allow pacman to be run as a non-root user

William Giokas 1007380 at gmail.com
Mon Mar 3 23:02:08 EST 2014

On Tue, Mar 04, 2014 at 01:38:17PM +1000, Allan McRae wrote:
> <snip>
> > diff --git a/src/pacman/util.c b/src/pacman/util.c
> > index d42e27b..d10bc7d 100644
> > --- a/src/pacman/util.c
> > +++ b/src/pacman/util.c
> > @@ -102,6 +102,9 @@ int trans_release(void)
> >  
> >  int needs_root(void)
> >  {
> > +	if(config->noroot == 1) {
> > +		return 0;
> > +	}
> >  	switch(config->op) {
> >  		case PM_OP_DATABASE:
> >  			return 1;
> > 
> pacman -S --noroot glibc   ->   BOOM!
> Well, boom being pacman errors out during package extraction.  At a
> minimum, I would expect pacman to check whether I can write to all the
> directories in the package file.

Currently it's not doing any of that checking in order to make things
somewhat simpler for me. I've barely written anything in C before, so
this is basically me experimenting a little bit to get a POC. Another
thing that could happen is just a check of the RootDir, DBPath... and
others that pacman uses. This way --noroot would almost not even be
needed, as simply setting RootDir and the other options to
user-writeable paths would allow them to run this without issue.
(Obviously it would still error out if it's unable to write to
directories below that, though, but as root you won't have that problem
and as a user you should keep a handle on that problem).

> The database directory should only ever be writeable by root.  It would
> be a major security issue otherwise (particularly as one promenant
> distribution can still not sign databases...).  So how would a user of
> "--noroot" add a database?   If we are restricting them to -U, there is
> no need for makepkg support.

It's a security issue if the database directory for a system is
writeable by a non-root user, however the point of this is to allow
makepkg and pacman to be used for non-system applications, similar to
the way that pip can be used in a virtualenv. You would set RootDir to
somewhere that you have write access to (/home/wgiokas/foo) and, get it
set up for pacman (add the directories it needs) and then run it with
--noroot. Pacman is going to error itself now if it can't write files.

> In conclusion, I'd like to see a very well thought out plan discussed
> before I look at code for this.

Alright, I'll keep working on stuff. Thanks for the feedback, though.
There's still a whole lot more that I've found that needs to be changed
to use this to extract and work with packages as a non-root user.


William Giokas | KaiSforza | http://kaictl.net/
GnuPG Key: 0x73CD09CF
Fingerprint: F73F 50EF BBE2 9846 8306  E6B8 6902 06D8 73CD 09CF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20140303/7dd7fa99/attachment.asc>

More information about the pacman-dev mailing list