145

Why do we need fakeroot command at all? Can't we simply use the sudo or su commands?

The man page says:

fakeroot - run a command in an environment faking root privileges for file manipulation

About.com says:

Gives a fake root environment. This package is intended to enable something like: dpkg-buildpackage -rfakeroot i.e. to remove the need to become root for a package build. This is done by setting LD_PRELOAD to libfakeroot.so, which provides wrappers around getuid, chown, chmod, mknod, stat, ..., thereby creating a fake root environment. If you don't understand any of this, you do not need fakeroot!

My question is, what special purpose does it solve that a simple su or sudo don't? For example, for repacking all installed packages in ubuntu we give following command:

$ fakeroot -u dpkg-repack `dpkg --get-selections | grep install | cut -f1`

Can we do the above command with sudo or su instead of fakeroot like this:

$ sudo dpkg-repack `dpkg --get-selections | grep install | cut -f1`

EDIT:

Running:

$ sudo dpkg-repack `dpkg --get-selections | grep install | cut -f1`

gives me this error:

control directory has bad permissions 700 (must be >=0755 and <=0775)

Any reason why?

Anton Rudeshko
  • 109
gkt
  • 1,623
  • 14
    it is a good idea, for security reason, to avoid doing as root everything that could be done as normal user, even if you can run sudo or su because it is your machine. fakeroot has two usages 1) it fools programs into believing you are indeed root user, which some badly written proprietary software may require even if not needed (usually Windows developer gone Linux) and 2) it allow emulating file mode and ownership changes which you wouldn't otherwise be able to do, mainly to create a tar file with correct permissions and ownership, useful for example when packaging software. – pqnet Aug 12 '14 at 10:03
  • 3
    I think the note in the excerpt from About.com sums it up: If you don't understand any of this, you do not need fakeroot! If you can't think of a situation where fakeroot is useful, then you literally don't need it. But people who do in fact need it completely understand the use-case. – Christopher Schultz Dec 05 '16 at 15:32

9 Answers9

96

Imagine that you are a developer/package maintainer, etc. working on a remote server. You want to update the contents of a package and rebuild it, download and customize a kernel from kernel.org and build it, etc. While trying to do those things, you'll find out that some steps require you to have root rights (UID and GID 0) for different reasons (security, overlooked permissions, etc). But it is not possible to get root rights, since you are working on a remote machine (and many other users have the same problem as you). This is what exactly fakeroot does: it pretends an effective UID and GID of 0 to the environment which requires them.

In practice you never get real root privileges (in opposite to su and sudo that you mention).

Crowie
  • 103
sakisk
  • 2,873
  • 1
    so, I can't use fakeroot to change system settings ?? cuz the command we'll be running will think it's running as root and do whatever we want it do do. won't it ? – mrid Oct 28 '17 at 07:15
  • 3
    @mrid Note the "In practice you never get real root privileges". So the anwser is no – sakisk Oct 28 '17 at 16:07
87

Since the answers are hard to understand (to myself) and it took some thinking to understand it (this comment made me understand it), I'm going to give a hopefully better explanation.

1. What happens in fakeroot

Nothing more than what happens with your own user. Absolutely nothing more. If you fakeroot (which when called gives you a new shell, like sudo would), pretend to do stuff that you needed permission for, and exit, absolutely nothing would happen.

If you think about it, it's a total waste of time. Why would you do stuff that won't actually happen? It's insane. You could have simply not done any of it and there would have been no difference, since there's no trace of it.

Wait a minute...

2. The trace of fakeroot

There could be a trace left of fakeroot. Let's look at the commands in MortenSickel's answer which is pretty nice and deserves an upvote:

$ fakeroot
# echo "Wow I have root access" > root.tst
# ls -l root.tst
-rw-rw-r-- 1 root root   23 Oct 25 12:13 root.tst
# ls -l /root
ls: cannot open directory /root: Permission denied
# exit
$ ls -l root.tst
-rw-rw-r-- 1 ubuntu ubuntu 23 Oct 25 12:13 root.tst

At the first glance, it looks like having used fakeroot was a total waste of time. In the end, if you hadn't used fakeroot, you would have got the same thing.

The subtle thing here is this:

$ cat root.tst
Wow I have root access

Which means the content of the file still remembers being a root. You might say not using fakeroot would have produced the same results. You are right, this example is too simple.

Let's take another example:

$ fakeroot
# touch x
# touch y
# chown myuser:myuser x
# ls -l > listing
# exit
$ ls -l
total 4
-rw-rw-r-- 1 myuser myuser 152 Jan  7 21:39 listing
-rw-rw-r-- 1 myuser myuser   0 Jan  7 21:39 x
-rw-rw-r-- 1 myuser myuser   0 Jan  7 21:39 y
$ cat listing
total 0
-rw-rw-r-- 1 root   root   0 Jan  7 21:39 listing
-rw-rw-r-- 1 myuser myuser 0 Jan  7 21:39 x
-rw-rw-r-- 1 root   root   0 Jan  7 21:39 y

Let's see what happened. I pretended to be root, which is totally ineffective, and created x and y. I pretended x to belong to myuser and y to belong to root. They actually both belong to myuser (as we can see in the end), but I just pretended it to be like that.

Then I created a listing and saved my imagination to a file. Later when I look back at the file, I can see who I imagined the files should be owned by. Again, they are not actually owned by people I imagined, I just simply imagined that.

3. So... Why do you want that again?

You may say that I didn't really need to fake being root to create that listing. I could have simply created the listing, then edited it to reflect my imagination. You are right, you didn't need fakeroot for that. In fact, knowing that fakeroot doesn't actually do anything, you can't have possibly gained any ability you didn't have before.

But, and this is what fakeroot is all about, editing the listing could be nontrivial. As it is with a package that can be installed on your system, you have a tared, gziped, xzed, bzip2ed or any other format that is keeping your files together and remembering their permissions and owners. Can you easily modify the compressed file and edit ownership of a file? I don't know about you, but I can't think of a way.

Could there be a tool built that, once everything is compressed, it modifies the compressed file and programmatically edits the ownerships and permissions? Yes there could. So either you could fake the ownerships before compressing, or change them after. Debian people decided the former is easier.

4. Why not just use sudo?

First of all, you don't need root privileges to build software and you don't need root privileges to compress them. So if you don't need it, you'd have to really be a Windows user to even think of getting that permission. But sarcasm aside, you may not even have root password.

Besides, let's say you do have root permissions. And let's say you want to pretend that a file should have read access only to the root. So you sudo, actually change the file owner and permissions to root, you get out of root shell and try to package everything. You fail because now you cannot read the file anymore since you don't have root access. So you have to sudo and compress and build the package as root. Effectively, you have to do everything as root.

This is BadTM.

As a packager, you don't need root permissions and you shouldn't get it. When you install a package, you may need to install some file (A) as root and that's where you need root permissions. All fakeroot does is to make this possible. It lets the packager list A as owned by root for the archiver, so that when the package is decompressed by the user, the archiver demands root permission and creates A as owned by root.

Shahbaz
  • 979
79

To see clearly the difference between fakeroot and a real sudo / su, just do:

$ fakeroot
# echo "Wow I have root access" > root.tst
# ls -l root.tst
-rw-rw-r-- 1 root root   23 Oct 25 12:13 root.tst
# ls -l /root
ls: cannot open directory /root: Permission denied
# exit
$ ls -l root.tst
-rw-rw-r-- 1 ubuntu ubuntu 23 Oct 25 12:13 root.tst

As long as you are within the fakeroot shell, it looks like if you are root - as long as you do not try to do anything that really needs root privileges. And this is exactly what a packaging tool need to make packages that will make sense on any machine.

In fact, when you use fakeroot for packaging, what you want to achieve is to make the tools you run under fakeroot to see your files as owned by root. Nothing more, nothing less. So in fact, su or sudo will not work for getting the right file ownership.

Ramesh
  • 39,297
MortenSickel
  • 1,371
  • 1
  • 12
  • 24
  • Isn’t faker dangerous? If I create a file with the suid bit and rx perm, the file will be created owned by root, executable by anyone, as root! Or maybe setting the suid bit won’t work? – Frizlab Oct 03 '14 at 21:14
  • 7
    No good. I tried this out myself. Primary reason for fakeroot is to get ownership root:root into built packages without actually being root. installed packages will have proper perms, though. – hanetzer Dec 16 '14 at 14:38
  • 2
    It was all very confusing until I read @ntzrmtthihu777's comment! – Shahbaz Jan 07 '15 at 20:24
  • 2
    Sorry, I don't understand the description. Why not patch the tools so that they won't complain if you are not root? As a related question: After all, the files that you create under fakeroot are not actually owned by root. Wouldn't this imply that when I install such a .deb file, all my /usr files are owned by whoever user called fakeroot? – Johannes Schaub - litb Oct 12 '18 at 13:32
  • 3
    @JohannesSchaub-litb, no that's the point. The files are not owned by root, but inside a fakeroot shell, they look like they are. When the .deb package is created inside this shell, the file owner is read from the file system (which fakeroot intercepts and returns root) and stored in the package. When installing the package, dpkg then requires root access because the package indicates the file should be owned by root. – Shahbaz Aug 16 '19 at 06:12
36

AFAIK, fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.

fakeroot works by replacing the file manipulation library functions (chmod(), stat() etc.) by ones that simulate the effect the real library functions would have had, had the user really been root.

Synopsis : 

 fakeroot [-l|--lib library] [--faked faked-binary] [--] [command]

Check more here : fakeroot

Saurabh Gokhale
  • 461
  • @MaskTheSmokin: So fakeroot gives you super user power only for file manipulation operations,right. – gkt Feb 24 '11 at 13:11
  • @gkt.pro : I guess, yes. –  Feb 26 '11 at 11:19
  • 11
    It does not really give super user power, it only fakes it - the program running in it thinks it has root privileges, while it really still uses the user's normal privileges. – Paŭlo Ebermann Feb 26 '11 at 13:22
  • 3
    Where is the difference between the program running in it thinks it has root privileges and the program having root privileges? If I can do a rm -rf / and the program, running it thinks I have root privileges ... – user unknown Mar 20 '11 at 15:52
  • 11
    @userunknown You might be able to bypass rm's check that you have sufficient permissions, but the kernel itself wouldn't let you do it; the unlink system call would fail. It's not up to the application alone to handle permissions, or you'd be able to write your own application that doesn't check permissions and do whatever you want with it – Michael Mrozek Oct 07 '12 at 18:26
  • It still seems weird that it is needed at all. If i can use fakeroot to create a root owned file in an archive and then extract it so that root has it, then why could i not just sudo chown it to root directly? –  Oct 07 '12 at 16:30
  • 1
    An example to elucidate the need for fakeroot would be fantastic. I can see the uses of fakeroot, but I don't see why people can't work around root permissions to the point that it's easier to fake it. – Ehtesh Choudhury Apr 09 '13 at 14:54
  • Because it is something completely different. it makes your own files look for you like if they are owned by root. - see my example below. – MortenSickel Apr 11 '14 at 18:16
12

I've used it for package building scripts. I was not sure that the person running the script has root level access, but the script still needed to generate, say, a tar file which contained files that belong to root. The simplest way to do it was run the package building script under fakeroot, which tricked the archiver into believing that the files belong to root, and packed them up as such inside the archive. This way, when the package was unpacked to the destination machine (on a different machine altogether), the files didn't belong to weird or non-existing users.

Thinking about it, the only place I've seen this was for building some kind of archive: rootfs of embedded systems, tar.gz archives, rpm packages, .deb packages, etc.

  • 2
    fakeroot is a workaround tool for bugged packaging software: there is no reason you need to be root to create such packages, but since they don't allow you to specify file permissions in any other way than setting them directly into the filesystem beforehands you have no choice – pqnet Aug 12 '14 at 10:08
3

One common usage is to find out what files a failing binary really wanted to access. That is, finding out and fix or working around bugs caused by hard coded paths and improper exception handling.

Eero Ketonen
  • 31
2

You can use fakeroot without actually having root privileges. If you had su and/or sudo you would be able to destroy your system with a simple rm -rf /, but with fakeroot at most you would remove your home directory.

slm
  • 369,824
gabrielhidasy
  • 21
1

The simple answer:

su and sudo run commands as root. fakeroot does not, outside of it's partial sandbox arrangement.

jdmayfield
  • 131
0

Here's a good use:

$ echo "Hello, world." > root.tst
$ tar cf without.tar root.tst
$ fakeroot tar cf with.tar root.tst
$ tar tvf without.tar
-rw-rw-r-- ubuntu/ubuntu    14 2023-09-19 15:27 root.tst
$ tar tvf with.tar
-rw-rw-r-- root/root        14 2023-09-19 15:27 root.tst

The tar file you created without using fakeroot includes your userid in the meta data for the file. This may not be useful on another system because that system may not even have the same user. However, creating the tar file with fakeroot sets the owner to uid 0.

This is a contrived example in that you could accomplish the same thing by adding the "--owner=root" and "--group=root" arguments to the tar command, however there are other applications, such a "dpkg-deb" that call tar without giving an option for passing arguments to it.

Steven Schoch
  • 31