[pacman-dev] [PATCH] makepkg: add PACMAN_AUTH configurable setting for sudo elevation
Eli Schwartz
eschwartz at archlinux.org
Thu Mar 25 02:39:14 UTC 2021
On 3/24/21 9:20 PM, Allan McRae wrote:
> On 22/3/21 1:14 pm, Eli Schwartz wrote:
>> If specified, this will be used no matter what. If not, then we check if
>> sudo exists and use that, or else fall back on su.
>>
>> Implements FS#32621
>>
>> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
>> ---
>> doc/makepkg.conf.5.asciidoc | 8 ++++++++
>> etc/makepkg.conf.in | 7 +++++++
>> scripts/makepkg.sh.in | 13 ++++++++++---
>> 3 files changed, 25 insertions(+), 3 deletions(-)
>>
>> diff --git a/doc/makepkg.conf.5.asciidoc b/doc/makepkg.conf.5.asciidoc
>> index 2c7a54dbf..398529158 100644
>> --- a/doc/makepkg.conf.5.asciidoc
>> +++ b/doc/makepkg.conf.5.asciidoc
>> @@ -278,6 +278,14 @@ Options
>> `.tar.lzo`, `.tar.lrz`, `.tar.lz4`, `.tar.lz` and `.tar.Z`, or
>> simply `.tar` to disable compression entirely.
>>
>> +**PACMAN_AUTH=()**::
>> + Specify a command prefix for running pacman as root. If unset, makepkg will
>> + check for the presence of sudo(8) and su(1) in turn, and try the first one
>> + it finds.
>> + +
>> + If present, `%q` will be replaced with the shell-quoted form of the command
>> + to run. Otherwise, the command to run is appended to the auth command.
>
> I found "%q" a weird choice for the command when reading this, then got
> even more confused with the "printf '%q ' " in the code, which is a
> different %q! Would %c be better?
I forget why I picked it (but now it seems weird to me too), and don't
much care what we use. Sure.
>> See Also
>> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
>> index 43a69df66..fff5b8eb2 100644
>> --- a/etc/makepkg.conf.in
>> +++ b/etc/makepkg.conf.in
>> @@ -147,3 +147,10 @@ COMPRESSLZ=(lzip -c -f)
>> #
>> PKGEXT='@PKGEXT@'
>> SRCEXT='@SRCEXT@'
>> +
>> +#########################################################################
>> +# OTHER
>> +#########################################################################
>> +#
>> +#-- Command used to run pacman as root, instead of trying sudo and su
>> +PACMAN_AUTH=()
>> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index f4a2de7d4..a0cd1a4fb 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -225,15 +225,22 @@ missing_source_file() {
>> }
>>
>> run_pacman() {
>> - local cmd
>> + local cmd cmdescape
>> if [[ $1 = -@(T|Q)*([[:alpha:]]) ]]; then
>> cmd=("$PACMAN_PATH" "$@")
>> else
>> cmd=("$PACMAN_PATH" "${PACMAN_OPTS[@]}" "$@")
>> - if type -p sudo >/dev/null; then
>> + cmdescape="$(printf '%q ' "${cmd[@]}")"
>> + if (( ${#PACMAN_AUTH[@]} )); then
>> + if in_array '%q' "${PACMAN_AUTH[@]}"; then
>> + cmd=("${PACMAN_AUTH[@]/\%q/$cmdescape}")
>> + else
>> + cmd=("${PACMAN_AUTH[@]}" "${cmd[@]}")
>> + fi
>> + elif type -p sudo >/dev/null; then
>
> Can we just put sudo in PACMAN_PATH in our makepkg.conf by deafult.
> Then we can get rid of the sudo path and just have su -c as a fallback.
>
> We probably want a check for the binary at the start of the PACMAN_AUTH
> instead of sudo in scripts/libmakepkg/executable/sudo.sh.in too.
The current implementation was supposed to assume that the users know
what they are doing in setting PACMAN_AUTH to non-default values, and
refrain from second-guessing them by erroring rather than trying su as a
fallback (they explicitly asked for it, don't try something else instead).
sudo is our attempt to gracefully pick our recommended tool
automatically, if needed/available.
That being said, I guess at a minimum, executable_sudo() should not warn
you if:
- sudo is not installed
- PACMAN_AUTH is set to something you installed
>> cmd=(sudo "${cmd[@]}")
>> else
>> - cmd=(su root -c "$(printf '%q ' "${cmd[@]}")")
>> + cmd=(su root -c "$cmdescape")
>> fi
>> local lockfile="$(pacman-conf DBPath)/db.lck"
>> while [[ -f $lockfile ]]; do
>>
--
Eli Schwartz
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210324/96716b80/attachment.sig>
More information about the pacman-dev
mailing list