May a package assume that builds are performed with root-like rights? (was: jadetex: FTBFS: mktexdir failed)

To: debian-devel <debian-devel@lists.debian.org>
Cc: Daniel Schepler <schepler@math.berkeley.edu>, 354113@bugs.debian.org
Subject: May a package assume that builds are performed with root-like rights? (was: jadetex: FTBFS: mktexdir failed)
From: Frank Küster <frank@kuesterei.ch>
Date: Thu, 23 Feb 2006 16:37:05 +0100
Message-id: <[🔎] 8664n6qe72.fsf_-_@alhambra.kuesterei.ch>
In-reply-to: <200602231554.55080.schepler@math.berkeley.edu> (Daniel Schepler's message of "Thu, 23 Feb 2006 15:54:53 +0100")
References: <200602231437.31140.schepler@math.berkeley.edu> <86hd6qqh25.fsf@alhambra.kuesterei.ch> <200602231554.55080.schepler@math.berkeley.edu>

reassing 354113 tex-common
thanks

I think this problem is of general interest, or at least I don't feel we
(the TeX Task Force) cannot decide this on our own.

In short: May a package assume that package builds are performed with
root-like rights, and thus use non-world-writable directories for
caching purposes?

Daniel Schepler <schepler@math.berkeley.edu> wrote:

>> > From my pbuilder build log:
>> >
>> > ...
>> > mkdir: cannot create directory `././var/cache/fonts/tfm/jknappen':
>> > Permission denied mktextfm: mktexdir /var/cache/fonts/tfm/jknappen/ec
[...]
>> I cannot reproduce this here. [...]
>>
>> I'm using a normal pbuilder setup with sudo - do you somehow chroot
>> without being root?  And if that is the case, is the respective user
>> member of the "users" group in the chroot?  Probably not, and that will
>> be the problem.
>
> I ran pbuilder as root, but I have pbuilder set up to su to a normal user for 
> the build.
>
> So are you saying it's a bug for pbuilder not to put that user in the users 
> group?  I thought the users group was pretty much obsolete anyway, replaced 
> by per-user groups -- at least on my system, where I did nothing special, 
> running "groups" from my normal account gives
> daniel dialout cdrom floppy audio video

No, I don't think that it's a bug in pbuilder.  But on the other hand, I
think that it was a security risk that TeX's font cache directory was
world-writable in previous versions.  Changing that to allow write
access only for a specific group seemed a good compromise (until some
new clever font caching mechanism, probably with a client/server
architecture, is implemented.  But that's only a dream).

So the current state is:  If pbuilder runs all commands inside the
chroot, everything is fine, and AFAIK the same is true for the buildds.
But if you su to some user in the chroot, near to every package that
Build-depends on tetex-bin will FTBFS, unless you specifically arrange
for that user to be in group "users" (or anything else we switch to, I
don't care much).

Is this a bug in tex-common, or should package builders just be more
careful with their setup?  What do others think?

TIA, Frank

P.S. Making the change is easy, it's just changing a debconf default
-- 
Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX)

Reply to:

Follow-Ups:
- Re: May a package assume that builds are performed with root-like rights? (was: jadetex: FTBFS: mktexdir failed)
  - From: Daniel Schepler <schepler@math.berkeley.edu>
- Re: May a package assume that builds are performed with root-like rights?
  - From: Simon Richter <Simon.Richter@hogyros.de>

Prev by Date: Re: ITP: root -- An object oriented data analysis framework
Next by Date: Re: May a package assume that builds are performed with root-like rights? (was: jadetex: FTBFS: mktexdir failed)
Previous by thread: Re: Bug#325306: ITP: root -- An object oriented data analysis framework
Next by thread: Re: May a package assume that builds are performed with root-like rights? (was: jadetex: FTBFS: mktexdir failed)
Index(es):
- Date
- Thread