[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debmake suid programs

Christoph Lameter:
> 1. In the past it was necessary to become superuser to build a package
>    due to the nature of the dpkg tools. If this is wrong then please tell
>    me how dpkg could work without superuser access. I have tried a number
>    of ways to circumvent the issue with no success.

Correct me if I am wrong, but I think dpkg needs root privileges
only to create files with the right file ownerships/permissions in
debian/tmp (used to create a tar archive).  But a tar archive is
just a regular file - the ownerships/permissions inside can be
changed by modifying it (no root privileges necessary).

I think there are several possibilities:

 - when creating the package, pipe the tar archive (before gzipping)
   through a program to change permissions in the tar file headers,
   as specified in a permissions specification file supplied with the
   package.  Special files can be created as zero-length files and
   their type/major/minor changed later by modifying the tar archive.

 - run tar as usual, but modify dpkg to unpack files using cpio with
   the -R root:root (set the ownership of all files created) option.
   Then set the correct permissions in postinst.  (Devices can be
   created in postinst as well - just run MAKEDEV.)

The "permissions specification file" I mentioned could also be used
later to check permissions (and restore them if they ever get screwed
up, without reinstalling the whole package).

Funny, there is already a program to check/restore permissions
and the documentation even says that it is available in Debian, but
it isn't - what is the story?  It is very old, from 1994 - was there
some other distribution called Debian at that time? :-)

It would be very nice to allow building packages by any user, without
any privileges.  For example, build a package on a fast machine with
a lot of disk space (but where you aren't root) and later install it
as root on your small home box...



TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: