I'm trying to build a macports installation that runs entirely out of a user's home directory. I've compiled macports without launchd support, and set the install user and group to the appropriate user. However, when I try to run "port install mysql5" it fails, apparently because it's trying to chown a file to root. Is this a problem with that port, or does macports require root in general? If it's the latter, any suggestions on how I could go about patching it to allow fully non-root user installations? Paul
On Oct 14, 2006, at 8:59 PM, Paul M. Lambert wrote:
I'm trying to build a macports installation that runs entirely out of a user's home directory.
I've compiled macports without launchd support, and set the install user and group to the appropriate user.
However, when I try to run "port install mysql5" it fails, apparently because it's trying to chown a file to root.
Is this a problem with that port, or does macports require root in general?
It looks like the server variant of that port wants to set everything up for a 'normal' mysql server install. You could probably run the regular (non-server) variant and then configure mysql how you want it after the install without needing root.
If it's the latter, any suggestions on how I could go about patching it to allow fully non-root user installations?
I think most of the issues you will find will be with individual ports, but I don't know if anyone else is still running macports as non-root, so you could stumble across other issues that we haven't seen before. -- Daniel J. Luke +========================================================+ | *---------------- dluke@geeklair.net ----------------* | | *-------------- http://www.geeklair.net -------------* | +========================================================+ | Opinions expressed are mine and do not necessarily | | reflect the opinions of my employer. | +========================================================+
On 15.10.2006, at 02:59, Paul M. Lambert wrote:
I'm trying to build a macports installation that runs entirely out of a user's home directory. [...] Is this a problem with that port, or does macports require root in general?
Certain targets require root in general, notably destroot and install.
If it's the latter, any suggestions on how I could go about patching it to allow fully non-root user installations?
I don't think there is a general solution to this. port destroot is like saying make install. The software you're trying to install takes over at that point, and in a unix world, it may well do things that require root. After all, make install is traditionally run as root. To change this, you have to change the software you're trying to install to work around not having root access. IOW, you will probably have to patch individual portfiles to patch the software being installed to not do anything during make install that might need root. Regards, Marc
I tried, for a while, to run MacPorts without root, but it ends up being more trouble than its worth. A fair number of packages (like mysql) just can't install without adding users or making priviledged files. Most will build without root, so you can do port build as user and port install as root, but even that runs into problems. I also suspect that a number of undiagnosed problems with my install stem from packages being built as a user (even though it shouldn't matter). The short version is that I don't think we have a stable system that can be run strictly as a user, and that the changes required to make one go far beyond MacPorts and into the individual packages, themselves. Just my 2c. -- Sal smile. On Sun, 15 Oct 2006, Daniel J. Luke wrote: o On Oct 14, 2006, at 8:59 PM, Paul M. Lambert wrote: o > I'm trying to build a macports installation that runs entirely out o > of a user's home directory. o > o > I've compiled macports without launchd support, and set the install o > user and group to the appropriate user. o > o > However, when I try to run "port install mysql5" it fails, o > apparently because it's trying to chown a file to root. o > o > Is this a problem with that port, or does macports require root in o > general? o o It looks like the server variant of that port wants to set everything o up for a 'normal' mysql server install. o o You could probably run the regular (non-server) variant and then o configure mysql how you want it after the install without needing root. o o > If it's the latter, any suggestions on how I could go about o > patching it to allow fully non-root user installations? o o I think most of the issues you will find will be with individual o ports, but I don't know if anyone else is still running macports as o non-root, so you could stumble across other issues that we haven't o seen before. o o -- o Daniel J. Luke o +========================================================+ o | *---------------- dluke@geeklair.net ----------------* | o | *-------------- http://www.geeklair.net -------------* | o +========================================================+ o | Opinions expressed are mine and do not necessarily | o | reflect the opinions of my employer. | o +========================================================+ o o o -------------- Salvatore Domenick Desiano Doctoral Candidate Robotics Institute Carnegie Mellon University
On Oct 15, 2006, at 3:04 PM, Marc André Selig wrote:
Is this a problem with that port, or does macports require root in general?
Certain targets require root in general, notably destroot and install.
This is not true. If the destroot and install targets are writable by a non-root user, then a non-root user can run these targets (unless the port needs root for some other reason, like to set suid bits or add users/groups).
If it's the latter, any suggestions on how I could go about patching it to allow fully non-root user installations?
I don't think there is a general solution to this. port destroot is like saying make install. The software you're trying to install takes over at that point, and in a unix world, it may well do things that require root. After all, make install is traditionally run as root. To change this, you have to change the software you're trying to install to work around not having root access.
Right, individual packages may need root for other reasons. Depending on one's goals, however, it may be acceptable to work- around these individually or just deal with them not working. Provided there's a compelling reason to run as non-root in the first place.
IOW, you will probably have to patch individual portfiles to patch the software being installed to not do anything during make install that might need root.
-- Daniel J. Luke +========================================================+ | *---------------- dluke@geeklair.net ----------------* | | *-------------- http://www.geeklair.net -------------* | +========================================================+ | Opinions expressed are mine and do not necessarily | | reflect the opinions of my employer. | +========================================================+
The mysql5 port works fine without the +server option, and still installs the server, just not the startup items, etc. The apache2 port tries to install a startup item, so I've made a simple patch to macports to allow a startupitem type of "none" that just ignores it. I think that's 90% of the problem, really. As I find more ports with issues, I'll bring them up. It's definitely a lot of trouble to get this working, but the alternative is to install every piece of software by hand for multiple users. So it's definitely the lesser of two evils. Below is the patch for the "none" startupitem type; I'll need to update any docs, etc, to match. What's the best, most reasonable approach for encouraging portfile maintainers to accept my patches? I suspect I'll have to work out a way for commands specifying root/ wheel/admin/etc. to have a simple variable to interpret that is set to the installation user. If anyone sees any serious issues with this, let me know. As this will mostly be used for libraries, etc., I don't expect to run into it often. Mostly just mysql and apache and a few other common servers. Thanks! Paul M. Lambert Index: base/src/port1.0/portstartupitem.tcl =================================================================== --- base/src/port1.0/portstartupitem.tcl (revision 20071) +++ base/src/port1.0/portstartupitem.tcl (working copy) @@ -628,12 +628,15 @@ } } - ui_msg "$UI_PREFIX [msgcat::mc "Creating ${startupitem.type} control script"]" + if {${startupitem.type} != "none"} { + ui_msg "$UI_PREFIX [msgcat::mc "Creating $ {startupitem.type} control script"]" + } switch -- ${startupitem.type} { launchd { startupitem_create_darwin_launchd } systemstarter { startupitem_create_darwin_systemstarter } rcng { startupitem_create_rcng } + none { } default { ui_error "$UI_PREFIX [msgcat::mc "Unrecognized startupitem type %s" ${startupitem.type}]" } } } On Oct 15, 2006, at 13:46, Salvatore Domenick Desiano wrote:
I tried, for a while, to run MacPorts without root, but it ends up being more trouble than its worth. A fair number of packages (like mysql) just can't install without adding users or making priviledged files. Most will build without root, so you can do port build as user and port install as root, but even that runs into problems. I also suspect that a number of undiagnosed problems with my install stem from packages being built as a user (even though it shouldn't matter).
The short version is that I don't think we have a stable system that can be run strictly as a user, and that the changes required to make one go far beyond MacPorts and into the individual packages, themselves.
Just my 2c.
-- Sal smile.
On Sun, 15 Oct 2006, Daniel J. Luke wrote:
o On Oct 14, 2006, at 8:59 PM, Paul M. Lambert wrote: o > I'm trying to build a macports installation that runs entirely out o > of a user's home directory. o > o > I've compiled macports without launchd support, and set the install o > user and group to the appropriate user. o > o > However, when I try to run "port install mysql5" it fails, o > apparently because it's trying to chown a file to root. o > o > Is this a problem with that port, or does macports require root in o > general? o o It looks like the server variant of that port wants to set everything o up for a 'normal' mysql server install. o o You could probably run the regular (non-server) variant and then o configure mysql how you want it after the install without needing root. o o > If it's the latter, any suggestions on how I could go about o > patching it to allow fully non-root user installations? o o I think most of the issues you will find will be with individual o ports, but I don't know if anyone else is still running macports as o non-root, so you could stumble across other issues that we haven't o seen before. o o -- o Daniel J. Luke o +========================================================+ o | *---------------- dluke@geeklair.net ----------------* | o | *-------------- http://www.geeklair.net -------------* | o +========================================================+ o | Opinions expressed are mine and do not necessarily | o | reflect the opinions of my employer. | o +========================================================+ o o o
-------------- Salvatore Domenick Desiano Doctoral Candidate Robotics Institute Carnegie Mellon University
On Oct 15, 2006, at 5:00 PM, Paul M. Lambert wrote:
The apache2 port tries to install a startup item, so I've made a simple patch to macports to allow a startupitem type of "none" that just ignores it.
This patch should be put into trac (with the base component) so that someone with commit to base/ can review and apply it.
What's the best, most reasonable approach for encouraging portfile maintainers to accept my patches?
Attach the patch to a bug/ticket in trac and assign it to the maintainer. (and make sure to include that the patch enables the port to be installed without being root) -- Daniel J. Luke +========================================================+ | *---------------- dluke@geeklair.net ----------------* | | *-------------- http://www.geeklair.net -------------* | +========================================================+ | Opinions expressed are mine and do not necessarily | | reflect the opinions of my employer. | +========================================================+
Thanks! Paul M. Lambert On Oct 15, 2006, at 18:09, Daniel J. Luke wrote:
On Oct 15, 2006, at 5:00 PM, Paul M. Lambert wrote:
The apache2 port tries to install a startup item, so I've made a simple patch to macports to allow a startupitem type of "none" that just ignores it.
This patch should be put into trac (with the base component) so that someone with commit to base/ can review and apply it.
What's the best, most reasonable approach for encouraging portfile maintainers to accept my patches?
Attach the patch to a bug/ticket in trac and assign it to the maintainer. (and make sure to include that the patch enables the port to be installed without being root)
-- Daniel J. Luke +========================================================+ | *---------------- dluke@geeklair.net ----------------* | | *-------------- http://www.geeklair.net -------------* | +========================================================+ | Opinions expressed are mine and do not necessarily | | reflect the opinions of my employer. | +========================================================+
I think the points Paul raises are valid, however, and lead back to the same topic we discuss at least every 3 months here: There should be a way of flagging ports that need root. In the short-term, those ports could then at least fail to run in a reasonable way (e.g. with an error message) if the needs_root procedure detects a non-uid of 0. In some later incarnation of macports, it could even try to acquire this privilege on the fly or talk to some sort of privilege-separated root helper. Something along the following lines? needs_root { post-destroot { install-user foo system "rm -f /mach_kernel" exec reboot ... } } Where we've always gotten hung up in the past is on the notion of "re- invocation", e.g. what you'd like to effectively be able to do when you detect that root privs are detected is re-invoke the whole "port install ..." command as "sudo port installl ...", but as we've already established (repeatedly), that's just not viable given that you can't just reinvoke the whole operation and expect things to work properly. You could, however, potentially invoke another root instance of the helper and send a serialized copy of everything in the needs_root body after doing variable expansion on it. The hard part, of course, is getting the behavior of eval to work such that sub-procs are not executed but the variables are expanded so that you don't have to worry (so much) about passing interpreter state across. If the portfile defines its own procedures and then calls them from the body then all bets are off, of course, but you could always explicitly disallow that in needs_root blocks. Just an idea. I'm sure we'll never implement it. :-) - Jordan On Oct 15, 2006, at 6:13 PM, Paul M. Lambert wrote:
Thanks!
Paul M. Lambert
On Oct 15, 2006, at 18:09, Daniel J. Luke wrote:
On Oct 15, 2006, at 5:00 PM, Paul M. Lambert wrote:
The apache2 port tries to install a startup item, so I've made a simple patch to macports to allow a startupitem type of "none" that just ignores it.
This patch should be put into trac (with the base component) so that someone with commit to base/ can review and apply it.
What's the best, most reasonable approach for encouraging portfile maintainers to accept my patches?
Attach the patch to a bug/ticket in trac and assign it to the maintainer. (and make sure to include that the patch enables the port to be installed without being root)
-- Daniel J. Luke +========================================================+ | *---------------- dluke@geeklair.net ----------------* | | *-------------- http://www.geeklair.net -------------* | +========================================================+ | Opinions expressed are mine and do not necessarily | | reflect the opinions of my employer. | +========================================================+
_______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-dev
participants (5)
-
Daniel J. Luke
-
Jordan K. Hubbard
-
Marc André Selig
-
Paul M. Lambert
-
Salvatore Domenick Desiano