[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Crazy APT/dpkg suggestion (user-installable packages)

I am not a Debian developer, but I came up with the following idea for the 
packaging system last night.  I just wanted to throw this out to the list 
and see what people thought about it.

It would be useful to many people if regular users could install Debian 
packages into their home directories, but this would take an immense 
amount of effort to make practical.  This suggestion might be the next 
best thing.  Assuming that security issues could be resolved, make apt-get 
and/or dpkg setuid root so that the following could be implemented:

* Any user can install a package, except when:
	1) it would Conflict: with a package already installed by root
	   or by a different user
	2) it would make the amount of free space available on any 
	   partition less than some absolute size and/or percentage,
	   specifiable by root in a conf-file
	3) it appears in a list of packages that root specifies may NOT
	   be user-installed (/etc/packages.deny)
	4) it does NOT appear in a list of packages that root specifies
	   may be installed (/etc/packages.allow)

[I assume that the default would be (4) rather than (3), with the default
packages.allow being some list of harmless end-user packages and libraries
for them.  Obviously on a multi-user system, we wouldn't want users
deciding to install things like telnetd.  BTW, perhaps ssh could be split
into ssh-client and ssh-server?]

* A user can remove or upgrade a package s/he has installed, except when:
	1) this would cause a root-installed package or a package 
	   installed by another user to be removed or upgraded

* Root may easily do one of the following by setting a conf-file variable:
	a) upgrade _all_ packages via apt-get upgrade
	b) upgrade only packages previously installed by root

* Obviously dpkg needs to know who installed which package: keep a list in
/var/lib/dpkg/packages.user or something like that.  A user could edit
this file to state that all packages were installed by his/her own
account, thereby never having to log in as root for package-management
tasks.  (Perhaps this could also be set by asking "Will this machine be a
single-user system?" in the initial installation.  In this case we would 
install /etc/packages.deny rather than /etc/packages.allow)

* This could be an alternative to the usual dpkg / apt-get (Conflicts:  
dpkg, Provides: dpkg) so that sysadmins who don't want the behavior
described here can keep the default we all know and love :)  On
installation of the alternative package (dpkg-user?), ownership of all
previously-installed packages would be set to root in the above-mentioned
file /var/lib/dpkg/packages.user.

* I see the behavior described above being most desired on a single-user 
system, or on a multi-user system where the sysadmin is too busy to 
install packages specifically at the request of the users.

So... feel free to rip this to shreds now.  (And note that I'm not 
volunteering to write such a package... maybe in May after my exams!)

Kevin McCarty

Reply to: