[WBEL-devel] Re: Ah-Ha! (was: /bin/su and /usr/bin/su)
Charles Lacour
clacour@clacour.com
Tue, 9 Dec 2003 04:00:33 -0600
On Tuesday 09 December 2003 02:15, Paul Iadonisi wrote:
> On Tue, 2003-12-09 at 01:13, John Morris wrote:
>
> [snip]
>
> > Unless someone else looks into the matter and has an "Ah-Ha!" moment I'm
> > going to do my usual response to such matters. Whack it with a big
> > stick, as in patch the .spec thus:
>
> [snip]
>
> > It will work, but doesn't explain WHY it went wrong in the first place.
>
> Got it! Build the package as a non-root user. There's this little
> snippet of code in the src/Makefile:
>
> ===
> can_create_suid_root_executable=no; \
> chown root $$TMPFILE > /dev/null 2>&1 \
> && chmod $(setuid_root_mode) $$TMPFILE > /dev/null 2>&1 \
> && can_create_suid_root_executable=yes; \
> rm -f $$TMPFILE; \
> if test $$can_create_suid_root_executable = yes; then \
> $(INSTALL_SU); \
> else \
> echo "WARNING: insufficient access; not installing su"; \
> echo "NOTE: to install su, run 'make install-root' as root"; \
> fi
> ===
>
> Actually, *all* packages should be built as non-root. I believe
> that's the way Red Hat builds them internally. In fact, it was the
> reason for the introduction of the %dev keyword: so that you could build
> rpms requiring device files without needing to be root.
> No guarantee that all packages will be buildable as non-root, but I
> know for a fact that it is a principle that Red Hat tries to adhere to.
> I haven't checked the Fedora Project rpm building guidelines at all, but
> I think I do remember some discussion of it on one of the lists and
> there was some comment that in order for packages to be accepted by Red
> Hat, they *must* be buildable as non-root.
> Who knows, it might even solve some of the other unexplained problems.
I'm very glad you found that, because I probably never would have. I'm running
this stuff on my main system, which means I care about what playing around
with all this stuff might do to my system. I was being very, very careful NOT
to run any of it as root.
I read your post in the middle of my first successful compile. (I don't really
understand the rpmbuild process yet, and copied over /var/lib/rpm/* to my
working directory so it would quit gritching at me about 18,000 missing
packages.)
If you hadn't posted when you did, I would have gone slightly nuts trying to
figure out why mine worked fine, and John's didn't.
Good eye!