[pacman-dev] [PATCH WIP] Allow pacman to be run as a non-root user
hauptmech at gmail.com
Sat Nov 15 00:17:27 UTC 2014
I was really happy to find this post today as I have wanted to use
pacman for user package installs in the past and came back to this
William, did you take this idea any further?
I'll try to flesh out a use-case in case it helps. I am not an expert
user of makepkg or pacman.
I'm looking for a package manager to use on a multi-user system for user
installable libraries and software. (eg the RootDir would be ~/.local,
and the repo cache and database would be in the users /home path).
Implicit is that the repo database is unique to that user (on an
Archlinux system there would also be the normal system repo database).
I have a large number of users, all developing a complex software. To
partition and synchronize the work, the software is broken into a number
of library and binary packages. The package manager (pacman for the
purposes of the rest of the discussion) would speed and ease
installation of (project specific) dependencies. Since version
dependencies are handled by pacman, the build tools don't have to worry
if the correct versions of each library are installed. Deployment to
existing developers and setting up new developers is fast and deployment
in the field is the same.
Beyond the root user permissions issue that william tackled, there is
the issue that we have two domains of dependencies (system and user). At
some point the user repo will need to know that the system fulfills
some of it's dependencies.
Where I to grab williams patch and just start hacking, my approach would
be to manually generate a set of dummy packages that are empty but
'provide' the system installed packages (an empty glibc package for
instance). A pre-install script to verify that the package is actually
installed at the system level would probably be desirable.
I believe the above approach would work, letting the two package repos
do their jobs. However it's labor intensive to fill in the interface
layer of packages needed by the user repo. Having the user repo database
cascade to the system repo database would be even better (first check
for a dependency in the user repo database, and if it's not available
there, check the system repo database. If in the system, dump the system
package list to the terminal so the user can either install via sudo or
send a request to the administrator.)
Does that make sense?
>> The database directory should only ever be writeable by root. It would
>> be a major security issue otherwise (particularly as one promenant
>> distribution can still not sign databases...). So how would a user of
>> "--noroot" add a database? If we are restricting them to -U, there is
>> no need for makepkg support.
> It's a security issue if the database directory for a system is
> writeable by a non-root user, however the point of this is to allow
> makepkg and pacman to be used for non-system applications, similar to
> the way that pip can be used in a virtualenv. You would set RootDir to
> somewhere that you have write access to (/home/wgiokas/foo) and, get it
> set up for pacman (add the directories it needs) and then run it with
> --noroot. Pacman is going to error itself now if it can't write files.
>> In conclusion, I'd like to see a very well thought out plan discussed
>> before I look at code for this.
> Alright, I'll keep working on stuff. Thanks for the feedback, though.
> There's still a whole lot more that I've found that needs to be changed
> to use this to extract and work with packages as a non-root user.
More information about the pacman-dev