Use fakeroot to build debs unless run as root

[michaelweghorn]

As the documentation states, file ownerships and permissions inside Debian packages are incorrect unless epm is run as root or with the fakeroot command.

Use "fakeroot" inside epm to create the Debian packages to ensure that ownerships and permissions are correct without the user having to take care explicitly.

EPM's documentation currently states:

To ensure that all file permissions and ownerships are correct, you must build the distribution as the root user or use the fakeroot software, introducing potential security risks and violating many corporate security policies.

I am not sure what exactly this means. Does it refer to running as root or to running with fakeroot?
So far, I've never heard that using fakeroot introduces any security issues. fakeroot's man page itself says:

SECURITY ASPECTS
fakeroot is a regular, non-setuid program. It does not enhance a user's privileges, or decrease the system's security.

[michaelweghorn]

I have no experience with those, but this can probably be extended so that fakeroot is used for the other package formats that have to be built as root to have proper ownerships.
Please let me know what you think and I can have a look.

[michaelrsweet]

Investigating... the documentation change was made 17 years ago (!) to add a reference to the fakeroot software, and the original warning was about running as root, so I think the comment is about running as root and not about fakeroot being bad... :/

As for extending things, fakeroot is unique to Linux and IIRC dpkg is the only format on Linux that needs it...

[michaelweghorn]

Thanks!

I just saw that there are two more cases in epm.c for which a similar warning is emitted if not run as root (but do not even know what "Tru64" refers to nor ever have had to do with HP-UX...):

    case PACKAGE_SETLD :
        if (geteuid())
	  fputs("epm: Warning - file permissions and ownership may not be correct\n"
	        "     in Tru64 packages unless you run EPM as root!\n", stderr);

        i = make_setld(prodname, directory, platname, dist, &platform);
	break;
    case PACKAGE_SWINSTALL :
        if (geteuid())
	{
	  fputs("epm: Error - HP-UX packages must be built as root!\n", stderr);
          i = 1;
	}
	else
          i = make_swinstall(prodname, directory, platname, dist, &platform);
	break;

[michaelweghorn]

I updated the commit since an else was missing (after some last-minute "optimization" before creating the merge request...).

[michaelweghorn]

I updated the commit since an else was missing (after some last-minute "optimization" before creating the merge request...).

And just did another minor change (else if on new line) to match the existing code style.

[michaelrsweet]

@michaelweghorn Tru64 == Digital UNIX == OSF/1 - all products of the old Digital Equipment Corporation (DEC) of VAX fame. They were bought out by Compaq who was bought by HP a long long time ago now. HP-UX is/was HP's branded UNIX OS.

I keep debating whether to pull support for the old legacy operating systems, but that would really just leave macOS and Linux and there are a lot of better options these days - pkgbuild/Homebrew/etc. on macOS and snapcraft/AppImage/docker/etc. on Linux - that handle the dependency and isolation/namespace issues much better...

[michaelweghorn]

@michaelrsweet: Thanks for the explanation!