[pacman-dev] [PATCH] makepkg: add PACMAN_AUTH configurable setting for sudo elevation

[Allan McRae]

On 22/3/21 1:14 pm, Eli Schwartz wrote:
> If specified, this will be used no matter what. If not, then we check if
> sudo exists and use that, or else fall back on su.
> 
> Implements FS#32621
> 
> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
> ---
>  doc/makepkg.conf.5.asciidoc |  8 ++++++++
>  etc/makepkg.conf.in         |  7 +++++++
>  scripts/makepkg.sh.in       | 13 ++++++++++---
>  3 files changed, 25 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/makepkg.conf.5.asciidoc b/doc/makepkg.conf.5.asciidoc
> index 2c7a54dbf..398529158 100644
> --- a/doc/makepkg.conf.5.asciidoc
> +++ b/doc/makepkg.conf.5.asciidoc
> @@ -278,6 +278,14 @@ Options
>  	`.tar.lzo`, `.tar.lrz`, `.tar.lz4`, `.tar.lz` and `.tar.Z`, or
>  	simply `.tar` to disable compression entirely.
>  
> +**PACMAN_AUTH=()**::
> +	Specify a command prefix for running pacman as root. If unset, makepkg will
> +	check for the presence of sudo(8) and su(1) in turn, and try the first one
> +	it finds.
> +	+
> +	If present, `%q` will be replaced with the shell-quoted form of the command
> +	to run. Otherwise, the command to run is appended to the auth command.

I found "%q" a weird choice for the command when reading this, then got
even more confused with the "printf '%q ' " in the code, which is a
different %q!   Would %c be better?

> +
>  
>  
>  See Also
> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
> index 43a69df66..fff5b8eb2 100644
> --- a/etc/makepkg.conf.in
> +++ b/etc/makepkg.conf.in
> @@ -147,3 +147,10 @@ COMPRESSLZ=(lzip -c -f)
>  #
>  PKGEXT='@PKGEXT@'
>  SRCEXT='@SRCEXT@'
> +
> +#########################################################################
> +# OTHER
> +#########################################################################
> +#
> +#-- Command used to run pacman as root, instead of trying sudo and su
> +PACMAN_AUTH=()
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index f4a2de7d4..a0cd1a4fb 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -225,15 +225,22 @@ missing_source_file() {
>  }
>  
>  run_pacman() {
> -	local cmd
> +	local cmd cmdescape
>  	if [[ $1 = -@(T|Q)*([[:alpha:]]) ]]; then
>  		cmd=("$PACMAN_PATH" "$@")
>  	else
>  		cmd=("$PACMAN_PATH" "${PACMAN_OPTS[@]}" "$@")
> -		if type -p sudo >/dev/null; then
> +		cmdescape="$(printf '%q ' "${cmd[@]}")"
> +		if (( ${#PACMAN_AUTH[@]} )); then
> +			if in_array '%q' "${PACMAN_AUTH[@]}"; then
> +				cmd=("${PACMAN_AUTH[@]/\%q/$cmdescape}")
> +			else
> +				cmd=("${PACMAN_AUTH[@]}" "${cmd[@]}")
> +			fi
> +		elif type -p sudo >/dev/null; then

Can we just put sudo in PACMAN_PATH in our makepkg.conf by deafult.
Then we can get rid of the sudo path and just have su -c as a fallback.

We probably want a check for the binary at the start of the PACMAN_AUTH
instead of sudo in scripts/libmakepkg/executable/sudo.sh.in too.

>  			cmd=(sudo "${cmd[@]}")
>  		else
> -			cmd=(su root -c "$(printf '%q ' "${cmd[@]}")")
> +			cmd=(su root -c "$cmdescape")
>  		fi
>  		local lockfile="$(pacman-conf DBPath)/db.lck"
>  		while [[ -f $lockfile ]]; do
>