1

I am always reluctant to run make install as root as the last step of installing an application from source. After all, it allows executing arbitrary code form the Makefile. It has already happened to me that due to the lack of proper quoting, Makefile commands deleted things they were not supposed to delete, including files outside of the source code directory.

For this reason, I am looking for a way to avoid running make install as root and restrict my activity as root to basic operations (like copying files or extracting an archive) that do not execute arbitrary code.

Zoltan
  • 476
  • 1
    My use case is different. The linked question is about installing an application as a user, mine is about installing an application as root, but without actually running potentially harmful commands as root. – Zoltan May 20 '18 at 10:33
  • 1
    This doesn't seem like an exact duplicate to me, if this is more about turning the compiled program to an rpm/deb package or such. Though @Zoltan, your title could probably be more explicit about the main point. – ilkkachu May 22 '18 at 08:41
  • I clarfied my goal (both in the title and in the description). – Zoltan May 22 '18 at 12:45
  • To build a rpm package from a source file, there is the command rpmbuild (you give it a .spec file detailing how to build), and then you install the .rpm file as usual. Sure, the spec (or the installed program) could do nefarious actions on installation (or later). But you have some more control (and can later uninstall, etc). I'm not familiar with the Debian machinery, but I'd think they offer the same... – vonbrand May 23 '18 at 19:03
  • For terminally paranoid folks, look for the Underhanded C Contest... – vonbrand May 23 '18 at 19:06

1 Answers1

1

After some searching, I found that most source packages (at least the ones that use autotools or cmake) allow installing to a different directory than PREFIX used for compiling, you just have to specify the desired location in the DESTDIR environment variable.

I ended up doing the following:

firejail --x11=none --net=none --whitelist="$PWD" # Enter sandbox
./configure # (or similar)
make
DESTDIR=dest make install # install application into dest
exit # from firejail

pkgname="$(basename "$PWD")" # (or specify desired package name manually)
fakeroot tar czf "$pkgname.tgz" -C dest . # pack the installed files into a .tgz archive
fakeroot alien --version=$(date +%F) -k "$pkgname.tgz" # create a .deb package from the .tgz archive

One can also use sudo alien -i instead of fakeroot alien in the last command to immediately install the package as well. Alternatively, if you don't want to turn the application into a package, you can replace the last line (which invokes alien) with sudo tar xzf "$pkgname.tgz" -C / to extract the package as root.

A few things to note here:

  • Instead of simply avoiding running potentially harmful commands as root, the compilation and installation happens inside a sandbox, which is even safer (but completely optional).
  • I abandoned checkinstall and use alien instead, which is a slightly cleaner and safer solution as it does not depend on ugly and unreliable hacks for observing and reversing file operations.
Zoltan
  • 476