makepkg 4.2.0 broke "--asroot" parameter

[notuxic]

With the update of makepkg to version 4.2.0 the "--asroot" parameter isn't available anymore.
Thus, when trying to build the error makepkg: invalid option '--asroot' is raised.
This could be solved by creating a user "yaourt" and executing makepkg with sudo using this user.

Changes in makepkg for version 4.2.0:
https://projects.archlinux.org/pacman.git/tree/NEWS#n54

[Skunnyk]

Hm, you should never compile anything with root user.
You only have this error if you run yaourt with root user/sudo, after a warning saying "Building package as root is dangerous".
We need to remove this possibility anyway now that makepkg doesn't support --asroot anymore

[regeya]

So, basically, yaourt won't work as root anymore as of 4.2?

sigh I was using yaourt to keep packages up to date. That includes things like Nvidia drivers.

I "get" that compiling as root is a bad idea. I also choose Arch because it lets me make bad decisions. I don't need hand-holding, I need my machine to work.

I've used Arch in the past, and there's always some show-stopper that chases me away from Arch. This is definitely a show-stopper.

[Skunnyk]

Hm ? It's not a yaourt bug, it's a new behavior of makepkg which removed --asroot option (and it's a good idea imo). Yaourt use makepkg/pacman to build/install.
You can still use yaourt like before, when it need sudo/root access (at installation time for example) it will prompt for root or sudo password.
Just don't launch it with root user when you need to install AUR packages.

[tuxce]

3f60d14 make yaourt exits if executed as root and makepkg is needed.

[ghost]

i'm not sure this was the best fix.

i use ssh to manage a fleet of Arch servers. I use Yaourt to keep them up to date, because some of them have dependencies on AUR packages.

I shell in via pdsh, and as root.
Granted, most of the breakage here is due to makepkg/pacman being overzealous with its control.

An alternate solution would be to instead of exiting if root, check if USER (can be set in /etc/yaourtrc, "yaourt" by default) exists and if doesn't, create (make sure you usermod -L the user, or set as a system user, whatever). then create /etc/sudoers.d/yaourt containing:
USER ALL=(ALL) NOPASSWD: /usr/bin/pacman

and make yaourt only executable by root. so it still works with everyone's fscking precious sudo.

Ironically, by removing --asroot, the workaround for yaourt is now less secure and safe than it would have been originally, as we've now been forced to give a non-root user unfettered access to yaourt (and by extension, EVERYONE ELSE if you don't make /usr/bin/yaourt 700 or 744) .

ugh. i guess i just need to switch to something else, because that fix would never be implemented.

but really, we might have better luck petitioning upstream to reimplement --asroot. because this now prevents me from updating my fleet of systems remotely, and i'd really like to avoid having to build packages myself and then adding everything to a self-hosted repository.

[tuxce]

and make yaourt only executable by root.

Only installation needs root, so if I make it only executable by root, I'll break all others uses.

Ironically, by removing --asroot, the workaround for yaourt is now less secure and safe than it would have been originally, as we've now been forced to give a non-root user unfettered access to yaourt (and by extension, EVERYONE ELSE if you don't make /usr/bin/yaourt 700 or 744) .

I suppose you meant access to pacman ? Because I don't see which access you have to add since yaourt was initially and still made to be used as a user.

The solution that uses another user doesn't need to be implemented in yaourt, an alias like :

alias yaourt='sudo -u yaourt /usr/bin/yaourt '

can make it.

[ghost]

the fact remains that it still requires the manual configuration of another user. yaourt should automate that.

whatever. i have a lot of systems to make config changes to now because of this.

[Enverex]

Ah, the ol "lets force users to do things this way even though people should be able to administer their systems in the way that best suits them" switcharoo. This has become a worrying trend in the Linux world, to try and "idiot-proof" things here and there. It's a slippery slope considering Linux was generally seen as an open, easy to administer platform where users can configure the system to work how they want. This is a silly step backwards.

I apologise, but I felt this had to be said.

[ghost]

actually, and i know we're necrobumping, but i might have a solution.

one may be able to have yaourt drop privileges to the nobody user if it was called as root for the makepkg run (negating the need for --asroot), and then running the actual installation of the package.

@tuxce or @Skunnyk would you be open to this suggestion if it works? i can submit a patch if you don't want to implement but it may take a bit of time as I'd need to get familiar with /usr/lib/yaourt/util.sh's functions.

[Skunnyk]

Hm, yep, maybe a solution.
Packer try to implement the same behavior : keenerd/packer#131 (comment) , with a "pacman" user (but it would be better in the .install step instead of adding user on-the-fly on runtime imo).
Waiting for @tuxce advise :)

[DepthDeluxe]

Removing the --asroot option also appears to have broken GNU Puppet. It uses the option to run makepkg on AUR packages.

[evert-mouw]

Dirty solution for the makepkg asroot problem

Background: The maintainers of the makepkg utility used to create Arch packages have, in all their infinite wisdom to protect the lesser beings, removed the asroot option and the possibility to build packages as user root.

My take: Arch started out great because it worked like Slackware: KISS and the ability to shoot yourself in the foot.

Temporary, somewhat ugly fix

We can edit /usr/bin/makepkg of course :-)

Add asroot to OPT_LONG (line 3366). Just search for "OPT_LONG".

OPT_LONG=('allsource' 'check' 'clean' 'cleanbuild' 'config:' 'force' 'geninteg'
          'help' 'holdver' 'ignorearch' 'install' 'key:' 'log' 'noarchive' 'nobuild'
          'nocolor' 'nocheck' 'nodeps' 'noextract' 'noprepare' 'nosign' 'pkg:' 'repackage'
          'rmdeps' 'sign' 'skipchecksums' 'skipinteg' 'skippgpcheck' 'source' 'syncdeps'
          'verifysource' 'version' 'asroot')

Remove EUID check (line 3577). Just search for "EUID".

if (( ! INFAKEROOT )); then
    if (( EUID == 0 )); then
        #error "$(gettext "Running %s as root is not allowed as it can cause permanent,\n\
#catastrophic damage to your system.")" "makepkg"
        #exit 1 # $E_USER_ABORT
        plain "$(gettext "Running as root restored by Orc ;)")"
    fi

Make it permanent

Maybe don't do that. You could consider creating a patch file and applying the patch before running tools such as yaourt, packer or apacman. But soon enough those tools will very likely install a user on your system and let that user run makepkg.

[tuxce]

I'm not in favor of yaourt creating or using a different user for makepkg.
How about let the user choose what to do ?
Maybe someone pushed or will push a 'makepkg_root' to AUR and with this commit 1997977 he will be able to configure yaourt to use the new executable.

[balle]

Well I cannot use yaourt as before, because its not possible to use it in Puppet when it's prompting for a password dozen of times, but with the "somewhat ugly fix" above it's working again ;)
Ah and before I forget: Rule number one for every programmer is (or at least should be) dont remove a feature or users will hate you!

[l3iggs]

The removal of --asroot has broken all of my arch docker images (inside which only the root user exists).

[l3iggs]

I've sent an email requesting the reinstatement of --asroot to pacman-dev@archlinux.org

[ghost]

@l3iggs
I haven't checked the list archives yet, but I highly doubt you'll get anywhere productive. See the issue I filed, https://bugs.archlinux.org/task/43302
It was closed as WONTFIX.

I do want to take the time now to stress that this breakage is not the archlinux-fr team's fault. It is the pacman devs (and, as @evert-mouw pointed out, their straying from the Arch Way(TM).)

[evert-mouw]

@Bts368 Thanks for your issue. It is unfortunate that the devs don't give it much consideration. Well. I guess that's why I use Scientific Linux or Ubuntu for my home server virtual machines. Package management is too important to let it be influenced by amateurish devs. (Maybe the original Slackware philosophy also has merit: Try to avoid such "management" in the first place. But I cannot live without dependency resolving.)

I still love arch but this isn't the right way. Sorry for my slightly offtopic rant. As I only use Arch on one of my desktop machines, this whole issue doesn't hurt me much, but I really don't like the whole "we protect the stupid user from his own actions" mentality that seems to gain ground.

PS: I agree that the archlinux-fr team is doing a great job. Indeed, it's not their fault.

[ghost]

I just updated the upstream issue (#43302), as ironically, the Arch Way I quoted is supported by phrakture himself (for those unaware, phrakture is the lead developer).

I've requested re-open. If it gets closed as WONTFIX again, I have no idea where to take it to next, but we aren't the only ones complaining about this.

[ghost]

https://bugs.archlinux.org/task/43302
okay. so looks like we're on our own. apparently "competent linux user" = "fork it if we break the way you use it"

like ubuntu.

that said, the faster we find a workaround, the better IMO. @tuxce, up for a bugjam? it should be a pretty quick one, but i need some help walking around the functions library.

[l3iggs]

My workaround has been to do everything in /tmp so that the user nobody has write permissions
Step 1: install sudo
Step 2: add the following line to /etc/sudoers: nobody ALL=(ALL) NOPASSWD: ALL
Step 3: run the offending makepkg command as the user nobody with su: su -c "makepkg -si --noconfirm" -s /bin/bash nobody
Step 4: remove the line from Step 2 from /etc/sudoers
Just crap.

[ghost]

@l3iggs i just submitted a quick little patch/pull request that might be a little more graceful than all that; we only need sudo for the makepkg calls, not the whole process.

but yeah. NOPASSWDing the nobody user is a bad, bad, bad idea. :/

[ghost]

if someone's feeling brave/has extra time on their hands, can you clone, make, package, and install from my fork at https://github.com/bts368/yaourt to see if it installs and works as expected?

("as expected" means "you should be able to run yaourt as root with no warnings received and a successfully installed package")

if you're feeling extra kind, i'd love it if you tried out the new SUDOUSR directive in yaourtrc i added.

[tuxce]

Like I writed in my last comment, yaourt-git can be configured to change the makepkg executable : 1997977
Anyone can use @dalu patch (https://gist.github.com/dalu/6cdda7e0376f602f97de) to push a PKGBUILD and have a makepkg with different name that execute as root.
And use something like :

MAKEPKG='makepkg_replacement' yaourt <...>

or by setting MAKEPKG in yaourtrc.

[ghost]

whoops! i must have missed that; terribly sorry, @tuxce.

i'll just submit a PR for the man page then.

when do you plan on updating the stable yaourt?

[quentindemetz]

#67 (comment) fixed it for me, but for how long?

[fabiofalci]

oh man, all my docker images are broken now