Closed
Description
pikaur -Vq
Pikaur v1.32
Pacman v7.0.0 - libalpm v15.0.0 - pyalpm v0.10.6
[Optional] Prerequisites:
N/A
Description:
Following recent deprecation of DynamicUsers, I implemented steps described as 'solution 2' in this post, which I understand to be the proper way of addressing this change.
- I created a user called 'ppm' (pikaur package management) with uid: 617, gid: 616.
useradd --system --home-dir="/" --shell="/usr/bin/nologin" --comment="Pikaur Package Management" ppm - I created a directory called
/var/cache/ppmowned by ppm:ppm.chown -R ppm:ppm /var/cache/ppm - I changed my personal user's
~/.config/pikaur.confto the following settings (everything else is untouched since I first installed pikaur years ago)- DynamicUsers=never
- UserId=617
- CachePath=/var/cache/ppm
- DataPath=/var/cache/ppm
At the next run of pikaur, I found that the program attempted to change ownership of /var/cache/ppm to 617/617 and complained that:
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur'
🛴 error:
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur/aur_repos'
🛴 error:
For due diligence, I also managed to confirm this using strace:
[...]
newfstatat(AT_FDCWD, "/home/petr/bin/sudo", 0x7ffc1e395bb0, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/home/petr/.local/bin/sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/sbin/sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/bin/sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=257168, ...}, 0) = 0
access("/usr/bin/sudo", X_OK) = 0
newfstatat(AT_FDCWD, "/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=257168, ...}, 0) = 0
newfstatat(AT_FDCWD, "/var/cache/ppm/pikaur", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
chown("/var/cache/ppm/pikaur", 617, 617) = -1 EPERM (Operation not permitted)There are 3 issues with this in my opinion:
- The correct uid/gid pair is 617/616 and not 617/617 since the gid 617 on my system represents the
auditgroup, notppm. Unfortunately both values passed to chown appear to be configured to UserId and I could not find any GroupId parameter that would allow me to override the latter value. - Pikaur attempts to chown the referenced path as my personal user, not as root. Since my user does not have any ownership of the directory in question, this understandably fails with EPERM.
- Pikaur attempts to chown the referenced path always, irrespective of its existing owners. If for the sake of argument I explicitly chown /var/cache/ppm to 617/617 (which I do not believe is correct), pikaur still unnecessarily attempts to chown it to the same values, failing in the process.
Since deprecation of dynamic users is a little bit mysterious to me, I tried to do my due diligence as a responsible user and locate any mentions of it in documentation or release notes to determine the proper course of action. To my disappointment, with the exception of README sections documenting DynamicUsers and UserId configuration parameters, this commit and this issue, there was very little information to go on. This left me a little bit in the dark.
For that reason I would like to take this opportunity to ask for clarification/advice:
- Did I implement the UserId method correctly on my system? Are there any special attributes or capabiities that my ppm user should have in order to work with the UserId option?
- Is it acceptable to have CachePath and DataPath point to the same directory, as suggested by the instructions I followed? For some reason this feels really suspicious to me.
- Is any of my 3 concerns about chowning that path well-substantiated? If so, how should I address this on my system?
Thank you for any information you can share!
Attached log:
pikaur -S --verbose --pikaur-debug
🛴 debug: main_1000: Setting stdout to utf-8...
🛴 debug: main_1000: already set - nothing to do
🛴 debug: main_1000: Setting stderr to utf-8...
🛴 debug: main_1000: already set - nothing to do
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur'
🛴 error:
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur/aur_repos'
🛴 error:
🛴 debug: main_1000: Pikaur operation found for args ['/usr/bin/pikaur', '-S', '--verbose', '--pikaur-debug']: cli_install_packages
=> sudo --preserve-env=EDITOR -- /usr/bin/pikaur -S --verbose --pikaur-debug --pikaur-config=/home/petr/.config/pikaur.conf --user-id=617 --home-dir=/home/petr --xdg-cache-home=/var/cache/ppm --xdg-data-home=/var/cache/ppm
🛴 debug: main_0: Setting stdout to utf-8...
🛴 debug: main_0: already set - nothing to do
🛴 debug: main_0: Setting stderr to utf-8...
🛴 debug: main_0: already set - nothing to do
🛴 debug: main_0: Pikaur operation found for args ['/usr/bin/pikaur', '-S', '--verbose', '--pikaur-debug', '--pikaur-config=/home/petr/.config/pikaur.conf', '--user-id=617', '--home-dir=/home/petr', '--xdg-cache-home=/var/cache/ppm', '--xdg-data-home=/var/cache/ppm']: cli_install_packages
🛴 debug: install_info_fetcher:
Gonna fetch install info for:
install_package_names=[]
not_found_repo_pkgs_names=[]
pkgbuilds_packagelists={}
manually_excluded_packages_names=[]
skip_checkdeps_for_pkgnames=[]
🛴 debug: install_info_fetcher: Gonna get repo pkgs install info...
Reading local package database...
🛴 debug: install_info_fetcher: gonna get AUR pkgs install info for:
aur_packages_versionmatchers=[]
self.aur_updates_install_info=[]
aur_packages_names_to_versions={}
🛴 debug: install_info_fetcher: found AUR pkgs:
aur_pkg_list=[]
not found AUR pkgs:
not_found_aur_pkgs=[]
🛴 debug: install_info_fetcher: got AUR pkgs install info: []
🛴 debug: aur_deps: find_aur_deps: package_names=[]
🛴 debug: aur_deps: find_aur_deps: result_aur_deps={}
🛴 debug: install_info_fetcher: get_aur_deps_info: self.aur_deps_relations={}
🛴 debug: install_info_fetcher: get_aur_deps_info: aur_pkgs={}
🛴 debug: install_info_fetcher: get_aur_deps_info: [done]
🛴 debug: install_info_fetcher: get_repo_deps_info: [done]
🛴 debug: install_info_fetcher: :: marking dependant pkgs...
🛴 debug: install_info_fetcher: :: mark_dependant :: get_repo_provided...
Reading repository package databases...
🛴 debug: install_info_fetcher: :: mark_dependant :: get local pkgs...
🛴 debug: install_info_fetcher: :: mark_dependant :: all_requested_pkg_names=[]
🛴 debug: install_info_fetcher: :: mark_dependant :: explicit_aur_pkg_names=[]
🛴 debug: install_info_fetcher: == marked dependant pkgs.
🛴 debug: install_cli: self.install_info.all_install_info_containers=([], [], [], [], [], [], [], [])
🛴 Nothing to do.
🛴 debug: main_0: Restoring stdout...
🛴 debug: main_0: nothing to do
🛴 debug: main_0: Restoring stderr...
🛴 debug: main_0: nothing to do
🛴 debug: main_1000: Restoring stdout...
🛴 debug: main_1000: nothing to do
🛴 debug: main_1000: Restoring stderr...
🛴 debug: main_1000: nothing to do