Re: debmake suid programs
Christoph Lameter:
> 1. In the past it was necessary to become superuser to build a package
> due to the nature of the dpkg tools. If this is wrong then please tell
> me how dpkg could work without superuser access. I have tried a number
> of ways to circumvent the issue with no success.
Correct me if I am wrong, but I think dpkg needs root privileges
only to create files with the right file ownerships/permissions in
debian/tmp (used to create a tar archive). But a tar archive is
just a regular file - the ownerships/permissions inside can be
changed by modifying it (no root privileges necessary).
I think there are several possibilities:
- when creating the package, pipe the tar archive (before gzipping)
through a program to change permissions in the tar file headers,
as specified in a permissions specification file supplied with the
package. Special files can be created as zero-length files and
their type/major/minor changed later by modifying the tar archive.
- run tar as usual, but modify dpkg to unpack files using cpio with
the -R root:root (set the ownership of all files created) option.
Then set the correct permissions in postinst. (Devices can be
created in postinst as well - just run MAKEDEV.)
The "permissions specification file" I mentioned could also be used
later to check permissions (and restore them if they ever get screwed
up, without reinstalling the whole package).
Funny, there is already a program to check/restore permissions
(ftp://sunsite.unc.edu/pub/Linux/system/Admin/fixperms.1.00.tar.gz)
and the documentation even says that it is available in Debian, but
it isn't - what is the story? It is very old, from 1994 - was there
some other distribution called Debian at that time? :-)
It would be very nice to allow building packages by any user, without
any privileges. For example, build a package on a fast machine with
a lot of disk space (but where you aren't root) and later install it
as root on your small home box...
Comments?
Marek
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: