Replacing “makepkg –asroot”

An alarming number of people have noticed, the pacman-4.2 release removed the --asroot option from makepkg. This means that you can no longer build packages as the root user. There are good reasons for this and the option was only included due to issue we had building under fakeroot (only the package() function gets fun under fakeroot these days, and there has been no issues with fakeroot in a while anyway).

Even if your PKGBUILD file is not malicious, there are good examples of when something goes wrong by accident. Remember the bumblebee bug that deleted /usr due to an extra space? Or just this week a steam bug that deletes a user home directory? Do you still want to run code as root? OK then… I am going to show you how not to!

Firstly, we need a build directory. I suggest /home/build. Putting this directory directly under /root will not work unless you want to relax its 700 permissions to allow the nobody user read/write access1. I suppose you could as you are running as root… but I will use /home/build. Create the directory and set permissions with the following:

mkdir /home/build
chgrp nobody /home/build
chmod g+ws /home/build
setfacl -m u::rwx,g::rwx /home/build
setfacl -d --set u::rwx,g::rwx,o::- /home/build

Not that people running makepkg as root need to know what code is doing to run it… I’ll explain what is happening here. Firstly create a /home/build directory, make it owned by the nobody group and ensure that group has write permissions. Also add the sticky flag to the group permissions so all files created in that directory also are owned by the nobody group. Then we set ACLs to ensure all files and directories created in /home/build have group read/write permissions.

Now to building you package! Get you PKGBUILD in your new build directory and run makepkg as the nobody user. You can do this using su but using sudo has the advantage of being able to alias this command. Installing sudo does not create a security risk as you are running as root! You also do not need to configure anything as root will have full sudo permissions by default2. Build your package using:

sudo -u nobody makepkg

Done… I’d add “alias makepkg='sudo -u nobody makepkg” to your ~/.bashrc so you never have to type this again.

There is still a problem here. If you download and manually extract a package sourceball, or use an AUR helper such as cower to do so, the group write permissions get lost:

[root@arya build]# cower -d pacman-git
:: pacman-git downloaded to /home/build
[root@arya build]# ls -ld pacman-git/
drwxr-xr-x+ 2 root nobody 4096 Mar 21 2013 pacman-git/

Doing “chmod -R g+w pacman-git/” will fix this. There is probably a way to avoid this – at least when manually extracting the tarball, but I have no interest in figuring it out. Otherwise, it is a two line function.

And if this does not satisfy you, revert that patch that removed --asroot. It should still revert cleanly.

1 makepkg checks directory write permissions using the full path so fails if any parent directories are not writable. I guess this could be fixed if someone was interested.

2 Note that to have makepkg install missing dependencies and install your built package without being queried the password for the nobody user (which would be difficult to answer…), you will need to configure nobody to run sudo pacman without a password.

13 thoughts on “Replacing “makepkg –asroot”

  1. Instead of suggesting quirky workarounds I would rather appreciate if Arch could stop breaking my stuff with every other update πŸ™ What’s reason behind removing –asroot feature? And, please, don’t tell me it’s to protect me from myself, I really don’t like being treated as idiot.

    • Just to add obvious…
      [root@tab3 tmp]# setfacl -d –set u::rwx,g::rwx,o::- /home/build
      setfacl: /home/build: Operation not supported
      –asroot was probably only way how to build package (and use Arch) chrooted in Android. It was not ideal, but worked quite well until this bug was introduced.

      • Why not create an user on the chroot and use su -l user. Worked fine for me on my tablet.

        • I, of course, have non-privileged user, but as fakeroot doesn’t work on Android, that user can use makepkg πŸ™

          • Oh, yes I remember I need to rebuild the Android kernel with some extra config options. Thats true.

          • I know sysv IPC does not work on Android. What about compiling fakeroot with –with-ipc=tcp?

    • You know, I’ve tried for YEARS to figure out the “I have to run as root” thing. I’ve tried for years to get an explanation from people that do this. No one has ever given a valid reason. Run as root if you want. But Arch isn’t treating you as an idiot and more than you are treating yourself that way thinking you have to run as root. (And if you just choose to because of some ignorant reason, then you’ve accepted the title willingly!)

  2. This method does not take into consideration using the `-s` flag with `makepkg`; you would have to enable `sudo` for `nobody`.

    Changes like this are a less of a blessing and much more of a curse for users who understand the risks associated with building as root (and that don’t like being told ‘as whom’ they should be building their packages). TBQH I guarantee you that if you’d actually raised this feature to a community poll, the votes would have been overwhelmingly against you.

  3. so.. i dont get it. what of this do i now need to do for a userless server running only services but needs some packages from the AUR. seriously, i am more than baffled how to approach this dilemma.

    • I have always just built the packages in a build directory is my user’s home directory, with “sudo makepkg”. When I do this, am I building the package as root, or just as my user with root permissions? Sorry if this sounds like a stupid question. I am still figuring things out on linux.