Arch linux run as root

Arch Linux

You are not logged in.

#1 2017-10-11 03:43:03

Running makepkg as root.

I understand it was disabled, and I get it.

However, on a build server (Ubuntu), I need to generate .SRCINFO and update checksums in PKGBUILD. I have to use «base/arch» Docker image to run the command, and I’d like to disable that requirement.

Is there an environment variable I can set? Small modification to the bash script?

#2 2017-10-11 03:52:11

Re: Running makepkg as root.

Or, is there a way to run makepkg on Ubuntu? How portable is it?

#3 2017-10-11 05:25:32

Re: Running makepkg as root.

However, on a build server (Ubuntu), I need to generate .SRCINFO and update checksums in PKGBUILD. I have to use «base/arch» Docker image to run the command, and I’d like to disable that requirement.

What about changing the user in the Docket image?

Not sure about if makepkg can run on Ubuntu, but I would probably just give this a try to compile and run it there

#4 2017-10-11 05:36:44

Re: Running makepkg as root.

does docker have a nobody user?

maybe use that instead because makepkg can’t run as root by all-. by design.

Well, I suppose that this is somekind of signature, no?

#5 2017-10-11 06:06:35

Re: Running makepkg as root.

makepkg will run on ubuntu.

#6 2017-10-11 22:07:04

Re: Running makepkg as root.

It may run, but you might find it difficult to handle make/depends if you want to actually build anything. not to mention building against system libraries that only make sense in the context of creating a package *for* Ubuntu.

Managing AUR repos The Right Way — aurpublish (now a standalone tool)

#7 2017-10-12 01:13:32

Re: Running makepkg as root.

Sounds like OP is running makepkg inside an Arch Docker container on Ubuntu? I’m not up-to-speed with Docker, but you should be able to run makepkg as any user inside the container?

Источник

Running GUI applications as root

Avoid running graphical applications as root if possible, see #Circumvent running graphical apps as root.

Contents

Circumvent running graphical apps as root

sudoedit

To edit files as root, use sudoedit.

Access to privileged files and directories is possible through GVFS by specifying the admin backend in the URI scheme[2][3], e.g.:

By default, and for security reasons, root will be unable to connect to a non-root user’s X server. There are multiple ways of allowing root to do so however, if necessary.

The proper, recommended way to run GUI apps under X with elevated privileges is to create a Polkit policy, as shown in this forum post. This should however «only be used for legacy programs«, as pkexec(1) reminds. Applications should rather «defer the privileged operations to an auditable, self-contained, minimal piece of code that gets executed after doing a privilege escalation, and gets dropped when not needed«[4]. This may be the object of a bug report to the upstream project.

Punctual methods

Those methods wrap the application in an elevation framework and drop the acquired privileges once it exits:

Alternate methods

These methods will allow root to connect to a non-root user’s X server, but present varying levels of security risks, especially if you run ssh. If you are behind a firewall, you may consider them to be safe enough for your requirements.

Xhost

Xhost can be used to temporarily allow root access.

Permanently allow root access

to /etc/pam.d/su and /etc/pam.d/su-l . Then switch to your root user using su or su — .

Method 2: Globally in /etc/profile

Add the following line to /etc/profile :

This will permanently allow root to connect to a non-root user’s X server.

Or, merely specify a particular app:

where appname is the name of the particular app. (e.g. kwrite)

Wayland

Trying to run a graphical application as root via su, sudo or pkexec in a Wayland session (e.g. GParted or Gedit), will fail with an error similar to this:

Before Wayland, running GUI applications with elevated privileges could be properly implemented by creating a Polkit policy, or more dangerously done by running the command in a terminal by prepending the command with sudo ; but under (X)Wayland this does not work anymore as the default has been made to only allow the user who started the X server to connect clients to it (see the bug report and the upstream commits it refers to).

Avoid running graphical applications as root if possible, see #Circumvent running graphical apps as root.

A more versatile though more insecure workaround allows any graphical application to be run as root #Using xhost.

Using xhost

This article or section needs expansion.

A more versatile —though much less secure— workaround is to use xhost to temporarily allow the root user to access the local user’s X session[5]. To do so, execute the following command as the current (unprivileged) user:

To remove this access after the application has been closed:

Источник

Arch Linux

You are not logged in.

#1 2018-01-08 03:39:29

makepkg support for running as root.

I get why it was disabled. You don’t want random PKGBUILDs to run on your machine and cause havoc.

However, this leaves me in a weird place when installing Arch via scripts.

Everything is run as root. Only after the machine is finally booted, will the end user add a normal non-root user.

The base image contains some AUR packages.

As it stands, I have to create a temporary user, su to run makepkg, and when install script it completed, delete the temporary user. I don’t like doing that. So ugly, that during install, I patch the makepkg script to remove the requirement for root (https://github.com/pauldotknopf/darch-i … epkg.patch).

What do you guys think about having an environment variable that can override the root check, and if running as root, output a «WARNING» text?

Otherwise, I have to create a temporary user, or patch the makepkg script.

#2 2018-01-08 03:56:17

Re: makepkg support for running as root.

Run makepkg as the user «nobody».

#3 2018-01-08 04:42:40

Re: makepkg support for running as root.

This brings up another issue though.

Let’s say I have manually ran makepkg for trizen, to install other packages from the aur.

trizen will prompt for sudo password when doing the installation, allowing you to run the command as a normal user.

For this two work, I need to run trizen as «nobody», but then it will attempt to access sudo. This is a scripted install, so I would have to give sudo access to nobody with nopasswd to work seamlessly with trizen. Giving a user «nobody» sudo access def not a good idea, so there doesn’t seem to be a clean way to work with trizen.

So, for me to work with trizen (or any AUR helper), I’d have to do something like:

I’d have to be aware of the dependencies that «some-package» needs from AUR, and be sure to also makepkg -i them as well.

I suppose this method is better than patching makepkg to support root.

Last edited by theonlylawislove (2018-01-08 04:43:26)

#4 2018-01-08 04:54:23

Re: makepkg support for running as root.

pacman -U *.pkg.tar.*

#5 2018-01-08 05:34:36

Re: makepkg support for running as root.

That doesn’t take care of dependency order though, correct?

#6 2018-01-08 07:18:24

Re: makepkg support for running as root.

What do you guys think about having an environment variable that can override the root check, and if running as root, output a «WARNING» text?

Otherwise, I have to create a temporary user, or patch the makepkg script.

Right, we *used* to have that and it was called —asroot.

If you are doing a scripted install, I see no reason why you should be afraid of giving the «nobody» user access to pacman via NOPASSWD.

Of course, you could also use our official makechrootpkg tool for building packages in a clean chroot, which automates all of this and comes with wrapper flags for e.g. installing dependency packages into the chroot.

aurutils is an AUR helper with seamless native understanding of makechrootpkg.

Managing AUR repos The Right Way — aurpublish (now a standalone tool)

#7 2018-01-08 07:19:30

Re: makepkg support for running as root.

pacman takes care of dependency order when installing packages.

But if it can’t find the required packages in any repository, it will fail, yes. It is up to you to build and install the missing packages beforehand in such a case (tip: use —asdeps, to keep things sane).

—edit: oops, ninja’d

Last edited by ayekat (2018-01-08 07:19:45)

#8 2018-01-08 10:29:04

Re: makepkg support for running as root.

You could create a custom repo with all of the AUR packages you want to install.

No, it didn’t «fix» anything. It just shifted the brokeness one space to the right. — jasonwryan
Closing — for deletion; Banning — for muppetry. — jasonwryan

#9 2019-01-16 16:07:43

Re: makepkg support for running as root.

makepkg could automatically detect if it’s being run as superuser, and if that was the case spawn a new instance as a non privileged user. Then do its operation.

This way running makepkg or its dependent tools would work safely independently if they are run as root or not. This would save a lot of pain when using these commands along with more complex operations, like scripts or pipes.

#10 2019-01-16 16:21:20

Re: makepkg support for running as root.

makepkg could automatically detect if it’s being run as superuser, and if that was the case spawn a new instance as a non privileged user. Then do its operation.

Which user that may or may not exist on any of the various Linux distributions that pacman supports?

How do we know which user has write permissions for the working directory and/or SRCDEST, PKGDEST, BUILDDIR, etc?

This way running makepkg or its dependent tools would work safely independently if they are run as root or not. This would save a lot of pain when using these commands along with more complex operations, like scripts or pipes.

How exactly is this superior to just using `runuser -u $nonprivilegeduser makepkg` within the script or pipe you’re referring to, which is something you can actually control? Why does this trivial-yet-site-specific functionality need to be in makepkg? How would you reliably set SRCDIR, PKGDEST, BUILDDIR, etc. such that the site-specific user has site-specific directories it can write to?

How do you handle -s and -r if makepkg is re-executing as the common «nobody» user that has no permissions, including the lack of permissions represented by sudo?

Because guess what — I’m fairly sure none of this is ever going to be in makepkg. It is extraordinarily easy to do properly in your script, and much, much, much harder to do in makepkg itself for something that we explicitly refused to support in the first place.

Managing AUR repos The Right Way — aurpublish (now a standalone tool)

Источник

Installation guide

This document is a guide for installing Arch Linux using the live system booted from an installation medium made from an official installation image. The installation medium provides accessibility features which are described on the page Install Arch Linux with accessibility options. For alternative means of installation, see Category:Installation process.

Before installing, it would be advised to view the FAQ. For conventions used in this document, see Help:Reading. In particular, code examples may contain placeholders (formatted in italics ) that must be replaced manually.

For more detailed instructions, see the respective ArchWiki articles or the various programs’ man pages, both linked from this guide. For interactive help, the IRC channel and the forums are also available.

Arch Linux should run on any x86_64-compatible machine with a minimum of 512 MiB RAM, though more memory is needed to boot the live system for installation.[1] A basic installation should take less than 2 GiB of disk space. As the installation process needs to retrieve packages from a remote repository, this guide assumes a working internet connection is available.

Contents

Pre-installation

Acquire an installation image

Visit the Download page and, depending on how you want to boot, acquire the ISO file or a netboot image, and the respective GnuPG signature.

Verify signature

It is recommended to verify the image signature before use, especially when downloading from an HTTP mirror, where downloads are generally prone to be intercepted to serve malicious images.

On a system with GnuPG installed, do this by downloading the PGP signature (under Checksums in the Download page) to the ISO directory, and verifying it with:

Alternatively, from an existing Arch Linux installation run:

Prepare an installation medium

The installation image can be supplied to the target machine via a USB flash drive, an optical disc or a network with PXE: follow the appropriate article to prepare yourself an installation medium from the chosen image.

Boot the live environment

1. Point the current boot device to the one which has the Arch Linux installation medium. Typically it is achieved by pressing a key during the POST phase, as indicated on the splash screen. Refer to your motherboard’s manual for details.
2. When the installation medium’s boot loader menu appears, select Arch Linux install medium and press Enter to enter the installation environment.

To switch to a different console—for example, to view this guide with Lynx alongside the installation—use the Alt+arrow shortcut. To edit configuration files, mcedit(1) , nano and vim are available. See packages.x86_64 for a list of the packages included in the installation medium.

Set the console keyboard layout

The default console keymap is US. Available layouts can be listed with:

To modify the layout, append a corresponding file name to loadkeys(1) , omitting path and file extension. For example, to set a German keyboard layout:

Console fonts are located in /usr/share/kbd/consolefonts/ and can likewise be set with setfont(8) .

Verify the boot mode

To verify the boot mode, list the efivars directory:

If the command shows the directory without error, then the system is booted in UEFI mode. If the directory does not exist, the system may be booted in BIOS (or CSM) mode. If the system did not boot in the mode you desired, refer to your motherboard’s manual.

Connect to the internet

To set up a network connection in the live environment, go through the following steps:

• Ensure your network interface is listed and enabled, for example with ip-link(8) :
• For wireless and WWAN, make sure the card is not blocked with rfkill.
• Connect to the network:
  • Ethernet—plug in the cable.
  • Wi-Fi—authenticate to the wireless network using iwctl.
  • Mobile broadband modem—connect to the mobile network with the mmcli utility.
• Configure your network connection:
  • DHCP: dynamic IP address and DNS server assignment (provided by systemd-networkd and systemd-resolved) should work out of the box for Ethernet, WLAN and WWAN network interfaces.
  • Static IP address: follow Network configuration#Static IP address.
• The connection may be verified with ping:

Update the system clock

Use timedatectl(1) to ensure the system clock is accurate:

To check the service status, use timedatectl status .

Partition the disks

When recognized by the live system, disks are assigned to a block device such as /dev/sda , /dev/nvme0n1 or /dev/mmcblk0 . To identify these devices, use lsblk or fdisk.

Results ending in rom , loop or airoot may be ignored.

The following partitions are required for a chosen device:

If you want to create any stacked block devices for LVM, system encryption or RAID, do it now.

Use fdisk or parted to modify partition tables. For example:

Example layouts

BIOS with MBR

Mount point	Partition	Partition type	Suggested size
[SWAP]	/dev/swap_partition	Linux swap	More than 512 MiB
/mnt	/dev/root_partition	Linux	Remainder of the device

UEFI with GPT

Mount point	Partition	Partition type	Suggested size
/mnt/boot or /mnt/efi 1	/dev/efi_system_partition	EFI system partition	At least 260 MiB
[SWAP]	/dev/swap_partition	Linux swap	More than 512 MiB
/mnt	/dev/root_partition	Linux x86-64 root (/)	Remainder of the device

1. /mnt/efi should only be considered if the used boot loader is capable of loading the kernel and initramfs images from the root volume. See the warning in Arch boot process#Boot loader.

Format the partitions

Once the partitions have been created, each newly created partition must be formatted with an appropriate file system. For example, to create an Ext4 file system on /dev/root_partition , run:

If you created a partition for swap, initialize it with mkswap(8) :

Mount the file systems

Mount the root volume to /mnt . For example, if the root volume is /dev/root_partition :

Create any remaining mount points (such as /mnt/efi ) using mkdir(1) and mount their corresponding volumes.

If you created a swap volume, enable it with swapon(8) :

genfstab(8) will later detect mounted file systems and swap space.

Installation

Select the mirrors

Packages to be installed must be downloaded from mirror servers, which are defined in /etc/pacman.d/mirrorlist . On the live system, after connecting to the internet, reflector updates the mirror list by choosing 20 most recently synchronized HTTPS mirrors and sorting them by download rate.[2]

The higher a mirror is placed in the list, the more priority it is given when downloading a package. You may want to inspect the file to see if it is satisfactory. If it is not, edit the file accordingly, and move the geographically closest mirrors to the top of the list, although other criteria should be taken into account.

This file will later be copied to the new system by pacstrap, so it is worth getting right.

Install essential packages

Use the pacstrap(8) script to install the base package, Linux kernel and firmware for common hardware:

The base package does not include all tools from the live installation, so installing other packages may be necessary for a fully functional base system. In particular, consider installing:

• userspace utilities for the management of file systems that will be used on the system,
• utilities for accessing RAID or LVM partitions,
• specific firmware for other devices not included in linux-firmware (e.g. sof-firmware for sound cards),
• software necessary for networking,
• a text editor,
• packages for accessing documentation in man and info pages: man-db , man-pages and texinfo .

To install other packages or package groups, append the names to the pacstrap command above (space separated) or use pacman while chrooted into the new system. For comparison, packages available in the live system can be found in packages.x86_64.

Configure the system

Fstab

Generate an fstab file (use -U or -L to define by UUID or labels, respectively):

Check the resulting /mnt/etc/fstab file, and edit it in case of errors.

Chroot

Change root into the new system:

Time zone

Run hwclock(8) to generate /etc/adjtime :

This command assumes the hardware clock is set to UTC. See System time#Time standard for details.

Localization

Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales. Generate the locales by running:

Network configuration

Add matching entries to hosts(5) :

If the system has a permanent IP address or a fully qualified domain name, see the example in Network configuration#Local hostname resolution.

Complete the network configuration for the newly installed environment, that may include installing suitable network management software.

Initramfs

Creating a new initramfs is usually not required, because mkinitcpio was run on installation of the kernel package with pacstrap.

For LVM, system encryption or RAID, modify mkinitcpio.conf(5) and recreate the initramfs image:

Root password

Boot loader

Choose and install a Linux-capable boot loader. If you have an Intel or AMD CPU, enable microcode updates in addition.

Reboot

Exit the chroot environment by typing exit or pressing Ctrl+d .

Optionally manually unmount all the partitions with umount -R /mnt : this allows noticing any «busy» partitions, and finding the cause with fuser(1) .

Finally, restart the machine by typing reboot : any partitions still mounted will be automatically unmounted by systemd. Remember to remove the installation medium and then login into the new system with the root account.

Post-installation

See General recommendations for system management directions and post-installation tutorials (like creating unprivileged user accounts, setting up a graphical user interface, sound or a touchpad).

For a list of applications that may be of interest, see List of applications.

Источник