WIP: run0 support

Signed-off-by: Christian Heusel <christian@heusel.eu>
Fix typo
2025-10-05 20:16:19 +02:00 · 2025-10-04 20:58:39 +02:00 · 2025-09-29 20:00:02 -03:00
6 changed files with 42 additions and 43 deletions
--- a/doc/man/offload-build.1.asciidoc
+++ b/doc/man/offload-build.1.asciidoc
@@ -14,7 +14,7 @@ Description

 Build a PKGBUILD on a remote server using makechrootpkg. Requires a remote user
 that can run archbuild in a non-interactive manner, e.g. must be able to
-elevate permissions using passwordless sudo.
+elevate permissions using passwordless run0.

 Options
 -------
--- a/doc/man/pkgctl-auth.1.asciidoc
+++ b/doc/man/pkgctl-auth.1.asciidoc
@@ -3,7 +3,7 @@ pkgctl-auth(1)

 Name
 ----
-pkgctl-auth - Authenticate with serivces like GitLab.
+pkgctl-auth - Authenticate with services like GitLab.

 Synopsis
 --------
--- a/src/lib/archroot.sh
+++ b/src/lib/archroot.sh
@@ -15,7 +15,11 @@ check_root() {
 	local orig_argv=("$@")

 	(( EUID == 0 )) && return
-	if type -P sudo >/dev/null; then
+	if type -P run0 >/dev/null; then
+		keepenv=",$keepenv"
+		command="run0 ${keepenv//,/ --setenv=}"
+		exec ${command} -- "${orig_argv[@]}"
+	elif type -P sudo >/dev/null; then
 		exec sudo --preserve-env="${keepenv}" -- "${orig_argv[@]}"
 	else
 		exec su root -c "$(printf ' %q' "${orig_argv[@]}")"
--- a/src/lib/auth/login.sh
+++ b/src/lib/auth/login.sh
@@ -33,13 +33,11 @@ pkgctl_auth_login_usage() {

 		OPTIONS
 		    -g, --gen-access-token   Open the URL to generate a new personal access token
-		    -s, --gen-ssh-token      Directly generate the token via SSH (only works if your gitlab is already configured with SSH)
 		    -h, --help               Show this help text

 		EXAMPLES
 		    $ ${COMMAND}
 		    $ ${COMMAND} --gen-access-token
-		    $ ${COMMAND} --gen-ssh-token
 _EOF_
 }

@@ -55,10 +53,6 @@ pkgctl_auth_login() {
 				pkgctl_auth_login_usage
 				exit 0
 				;;
-			-s|--gen-ssh-token)
-				USE_SSH=1
-				shift
-				;;
 			-g|--gen-access-token)
 				GEN_ACESS_TOKEN=1
 				shift
@@ -82,25 +76,17 @@ pkgctl_auth_login() {
 	environment variable using a vault, see pkgctl-auth-login(1) for details.
 _EOF_

-	if (( USE_SSH )); then
-		token=$(ssh git@gitlab.archlinux.org personal_access_token pkgctl api,write_repository 30)
-		if [[ $? -ne 0 ]]; then
-			msg_error "  Failed to generate token via SSH"
-			exit 1
-		fi
-		token=$(echo "$token" | grep 'Token:' | awk '{print $2}')
-	fi
-
 	if (( GEN_ACESS_TOKEN )); then
 		xdg-open "${personal_access_token_url}" 2>/dev/null
-		# read token from stdin
-		read -s -r -p "${GREEN}?${ALL_OFF} ${BOLD}Paste your authentication token:${ALL_OFF} " token
-		echo
+	fi

-		if [[ -z ${token} ]]; then
-			msg_error "  No token provided"
-			exit 1
-		fi
+	# read token from stdin
+	read -s -r -p "${GREEN}?${ALL_OFF} ${BOLD}Paste your authentication token:${ALL_OFF} " token
+	echo
+
+	if [[ -z ${token} ]]; then
+		msg_error "  No token provided"
+		exit 1
 	fi

 	# check if the passed token works
--- a/src/makechrootpkg.in
+++ b/src/makechrootpkg.in
@@ -185,10 +185,18 @@ prepare_chroot() {
 		echo "$x" >>"$copydir/etc/makepkg.conf"
 	done

-	cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
-builduser ALL = NOPASSWD: /usr/bin/pacman
+	# TODO(gromit): check if this rule is sane
+	# TODO(gromit): this will require a full container
+	cat > "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules" <<EOF
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        if (subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+        }
+    }
+});
 EOF
-	chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
+	chmod 440 "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules"

 	cat > "$copydir/etc/gitconfig" <<EOF
 [safe]
@@ -222,17 +230,14 @@ _chrootbuild() {
 	# shellcheck source=/dev/null
 	. /etc/profile

-	# Beware, there are some stupid arbitrary rules on how you can
-	# use "$" in arguments to commands with "sudo -i".  ${foo} or
-	# ${1} is OK, but $foo or $1 isn't.
-	# https://bugzilla.sudo.ws/show_bug.cgi?id=765
-	sudo --preserve-env=SOURCE_DATE_EPOCH \
-		--preserve-env=BUILDTOOL \
-		--preserve-env=BUILDTOOLVER \
-		-iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
+	run0 --setenv=SOURCE_DATE_EPOCH \
+		 --setenv=BUILDTOOL \
+		 --setenv=BUILDTOOLVER \
+		 --via-shell --chdir='~' \
+		 --user=builduser -- bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
 	ret=$?
 	case $ret in
-		0|14)
+		0)
 			return 0;;
 		*)
 			return $ret;;
@@ -243,7 +248,7 @@ _chrootnamcap() {
 	pacman -S --needed --noconfirm namcap
 	for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
 		echo "Checking ${pkgfile##*/}"
-		sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+		run0 --user=builduser -- namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
 	done
 }

@@ -252,8 +257,12 @@ download_sources() {
 	chown "$makepkg_user:" "$WORKDIR"

 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
+	run0 --user="$makepkg_user" \
+		--setenv=GNUPGHOME \
+		--setenv=SSH_AUTH_SOCK \
+		--setenv=SRCDEST="$SRCDEST" \
+		--setenv=BUILDDIR="$WORKDIR" \
+		--chdir=. -- \
 		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
 		die "Could not download sources."
 }
@@ -400,7 +409,7 @@ if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"
 then
-	mapfile -t pkgnames < <(sudo -u "$makepkg_user" bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
+	mapfile -t pkgnames < <(run0 --user="$makepkg_user" -- bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
 	move_products
 else
 	(( ret += 1 ))
@@ -453,7 +462,7 @@ else
 		done

 		msg2 "Checking packages"
-		sudo -u "$makepkg_user" checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
+		run0 --user="$makepkg_user" -- checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
 	fi
 	true
 fi
--- a/src/makerepropkg.in
+++ b/src/makerepropkg.in
@@ -192,7 +192,7 @@ for p in "$@"; do
        pkgfile=${pkgfile_remote#file://}
        if [[ ! -f ${pkgfile} ]]; then
            msg "Downloading package '%s' into pacman's cache" "${pkgfile}"
-            sudo pacman -Swdd --noconfirm --logfile /dev/null "${p}" || exit 1
+            run0 -- pacman -Swdd --noconfirm --logfile /dev/null "${p}" || exit 1
            pkgfile_remote=$(pacman -Sddp "${p}" 2>/dev/null)
            pkgfile="${pkgfile_remote#file://}"
        fi
Author	SHA1	Message	Date
Christian Heusel	2609e386d4	WIP: run0 support Signed-off-by: Christian Heusel <christian@heusel.eu>	2025-10-04 20:58:39 +02:00
Rafael Fontenelle	447f7b4117	Fix typo	2025-09-29 20:00:02 -03:00