UID is used for chown as GID

[petrmanek]

pikaur -Vq
Pikaur v1.32
Pacman v7.0.0 - libalpm v15.0.0 - pyalpm v0.10.6

[Optional] Prerequisites:

N/A

Description:

Following recent deprecation of DynamicUsers, I implemented steps described as 'solution 2' in this post, which I understand to be the proper way of addressing this change.

1. I created a user called 'ppm' (pikaur package management) with uid: 617, gid: 616. useradd --system --home-dir="/" --shell="/usr/bin/nologin" --comment="Pikaur Package Management" ppm
2. I created a directory called /var/cache/ppm owned by ppm:ppm. chown -R ppm:ppm /var/cache/ppm
3. I changed my personal user's ~/.config/pikaur.conf to the following settings (everything else is untouched since I first installed pikaur years ago)
   • DynamicUsers=never
   • UserId=617
   • CachePath=/var/cache/ppm
   • DataPath=/var/cache/ppm

At the next run of pikaur, I found that the program attempted to change ownership of /var/cache/ppm to 617/617 and complained that:

🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur'
🛴 error:
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur/aur_repos'
🛴 error:

For due diligence, I also managed to confirm this using strace:

[...]
newfstatat(AT_FDCWD, "/home/petr/bin/sudo", 0x7ffc1e395bb0, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/home/petr/.local/bin/sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/sbin/sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/bin/sudo", 0x7ffc1e395c30, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=257168, ...}, 0) = 0
access("/usr/bin/sudo", X_OK)           = 0
newfstatat(AT_FDCWD, "/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0755, st_size=257168, ...}, 0) = 0
newfstatat(AT_FDCWD, "/var/cache/ppm/pikaur", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
chown("/var/cache/ppm/pikaur", 617, 617) = -1 EPERM (Operation not permitted)

There are 3 issues with this in my opinion:

1. The correct uid/gid pair is 617/616 and not 617/617 since the gid 617 on my system represents the audit group, not ppm. Unfortunately both values passed to chown appear to be configured to UserId and I could not find any GroupId parameter that would allow me to override the latter value.
2. Pikaur attempts to chown the referenced path as my personal user, not as root. Since my user does not have any ownership of the directory in question, this understandably fails with EPERM.
3. Pikaur attempts to chown the referenced path always, irrespective of its existing owners. If for the sake of argument I explicitly chown /var/cache/ppm to 617/617 (which I do not believe is correct), pikaur still unnecessarily attempts to chown it to the same values, failing in the process.

Since deprecation of dynamic users is a little bit mysterious to me, I tried to do my due diligence as a responsible user and locate any mentions of it in documentation or release notes to determine the proper course of action. To my disappointment, with the exception of README sections documenting DynamicUsers and UserId configuration parameters, this commit and this issue, there was very little information to go on. This left me a little bit in the dark.

For that reason I would like to take this opportunity to ask for clarification/advice:

• Did I implement the UserId method correctly on my system? Are there any special attributes or capabiities that my ppm user should have in order to work with the UserId option?
• Is it acceptable to have CachePath and DataPath point to the same directory, as suggested by the instructions I followed? For some reason this feels really suspicious to me.
• Is any of my 3 concerns about chowning that path well-substantiated? If so, how should I address this on my system?

Thank you for any information you can share!

Attached log:

pikaur -S --verbose --pikaur-debug                                                                                                                                                                   
🛴 debug: main_1000: Setting stdout to utf-8...
🛴 debug: main_1000: already set - nothing to do
🛴 debug: main_1000: Setting stderr to utf-8...
🛴 debug: main_1000: already set - nothing to do
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur'
🛴 error:
🛴 error:
🛴 error: Can't change owner to 617: [Errno 1] Operation not permitted: '/var/cache/ppm/pikaur/aur_repos'
🛴 error:
🛴 debug: main_1000: Pikaur operation found for args ['/usr/bin/pikaur', '-S', '--verbose', '--pikaur-debug']: cli_install_packages
=> sudo --preserve-env=EDITOR -- /usr/bin/pikaur -S --verbose --pikaur-debug --pikaur-config=/home/petr/.config/pikaur.conf --user-id=617 --home-dir=/home/petr --xdg-cache-home=/var/cache/ppm --xdg-data-home=/var/cache/ppm
🛴 debug: main_0: Setting stdout to utf-8...
🛴 debug: main_0: already set - nothing to do
🛴 debug: main_0: Setting stderr to utf-8...
🛴 debug: main_0: already set - nothing to do
🛴 debug: main_0: Pikaur operation found for args ['/usr/bin/pikaur', '-S', '--verbose', '--pikaur-debug', '--pikaur-config=/home/petr/.config/pikaur.conf', '--user-id=617', '--home-dir=/home/petr', '--xdg-cache-home=/var/cache/ppm', '--xdg-data-home=/var/cache/ppm']: cli_install_packages
🛴 debug: install_info_fetcher:
Gonna fetch install info for:
    install_package_names=[]
    not_found_repo_pkgs_names=[]
    pkgbuilds_packagelists={}
    manually_excluded_packages_names=[]
    skip_checkdeps_for_pkgnames=[]

🛴 debug: install_info_fetcher: Gonna get repo pkgs install info...
Reading local package database...
🛴 debug: install_info_fetcher: gonna get AUR pkgs install info for:
    aur_packages_versionmatchers=[]
    self.aur_updates_install_info=[]
    aur_packages_names_to_versions={}
🛴 debug: install_info_fetcher: found AUR pkgs:
    aur_pkg_list=[]
not found AUR pkgs:
    not_found_aur_pkgs=[]
🛴 debug: install_info_fetcher: got AUR pkgs install info: []
🛴 debug: aur_deps: find_aur_deps: package_names=[]
🛴 debug: aur_deps: find_aur_deps: result_aur_deps={}
🛴 debug: install_info_fetcher: get_aur_deps_info: self.aur_deps_relations={}
🛴 debug: install_info_fetcher: get_aur_deps_info: aur_pkgs={}
🛴 debug: install_info_fetcher: get_aur_deps_info: [done]
🛴 debug: install_info_fetcher: get_repo_deps_info: [done]
🛴 debug: install_info_fetcher: :: marking dependant pkgs...
🛴 debug: install_info_fetcher:   :: mark_dependant :: get_repo_provided...
Reading repository package databases...
🛴 debug: install_info_fetcher:   :: mark_dependant :: get local pkgs...
🛴 debug: install_info_fetcher:   :: mark_dependant :: all_requested_pkg_names=[]
🛴 debug: install_info_fetcher:   :: mark_dependant :: explicit_aur_pkg_names=[]
🛴 debug: install_info_fetcher: == marked dependant pkgs.
🛴 debug: install_cli: self.install_info.all_install_info_containers=([], [], [], [], [], [], [], [])
🛴 Nothing to do.
🛴 debug: main_0: Restoring stdout...
🛴 debug: main_0: nothing to do
🛴 debug: main_0: Restoring stderr...
🛴 debug: main_0: nothing to do
🛴 debug: main_1000: Restoring stdout...
🛴 debug: main_1000: nothing to do
🛴 debug: main_1000: Restoring stderr...
🛴 debug: main_1000: nothing to do

[actionless]

if you just a regular user it's just enough to set DynamicUsers to never, as it described in the warning message, or just ignoring the message until this became migrated automatically when feature get fully removed. creating user is an extra step for people who would like to "simulate" that behavior of having separate user for aur builds

regarding the reported issue itself, indeed right now pikaur is using UID for setting both uid and gid of the directory, that should be fixed

[actionless]

Thanks for reporting!
You can check with pikaur-git AUR package if it works for you now.

[petrmanek]

Thanks for a fast reply!

if you just a regular user it's just enough to set DynamicUsers to never

For some reason (perhaps it was phrasing of the warning, perhaps I just misunderstood), I was under the impression that this step had to be accompanied by configuring a non-trivial UserId. I can confirm that changing DynamicUsers to 'never' and leaving UserId at 0 is a sufficient response to the warning.

creating user is an extra step for people who would like to "simulate" that behavior of having separate user for aur builds

I see. I don't need that.

Thanks again!
Best, Petr

[actionless]

but does your scenario with custom user gid works now?

[petrmanek]

but does your scenario with custom user gid works now?

Well, thanks to your patch I can now set the proper gid for the chown operation. ...but the main issue still remains -- pikaur runs chown needlessly because the target path already has the correct permissions, and when it does so, it carries out the command in non-escalated mode, resulting in EPERM.

For completeness I should note that I do not really need to use this feature. I merely overreacted when I saw pikaur's warning following the recent deprecation of DynamicUsers. Setting that parameter to 'never' is an acceptable solution for me.

[actionless]

but aside of writing the error the process itself works as expected? i think i just need to change it to the warning