diff options
| author | Eli Schwartz <eschwartz@archlinux.org> | 2023-02-07 21:24:55 -0500 |
|---|---|---|
| committer | Eli Schwartz <eschwartz@archlinux.org> | 2023-02-20 22:33:46 -0500 |
| commit | ecb32bf457ed27b75c9b4386ca1acfbd4b63869e (patch) | |
| tree | bd1399cfde6eaec22c56d03ffd2cf016acdc9777 /docs | |
| parent | a878c38476dbe886bf26bc7bafb07bd4f20f763e (diff) | |
| download | meson-ecb32bf457ed27b75c9b4386ca1acfbd4b63869e.zip meson-ecb32bf457ed27b75c9b4386ca1acfbd4b63869e.tar.gz meson-ecb32bf457ed27b75c9b4386ca1acfbd4b63869e.tar.bz2 | |
minstall: drop privileges before running rebuild_all
If the user runs `sudo meson install` this may run ninja to build
everything that gets installed. This naturally happens as root also, by
default, which is bad. Instead, detect root elevation tools and drop the
uid/gid of the child ninja process back to the original invoking user
before doing anything.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/markdown/Installing.md | 4 | ||||
| -rw-r--r-- | docs/markdown/snippets/meson_install_drop_privs.md | 16 |
2 files changed, 19 insertions, 1 deletions
diff --git a/docs/markdown/Installing.md b/docs/markdown/Installing.md index 0bc9a47..2d18c17 100644 --- a/docs/markdown/Installing.md +++ b/docs/markdown/Installing.md @@ -110,7 +110,9 @@ targets as root. This results in various bad behaviors due to build outputs and ninja internal files being owned by root. Running `meson install` is preferred for several reasons. It can rebuild out of -date targets and then re-invoke itself as root. +date targets and then re-invoke itself as root. *(since 1.1.0)* Additionally, +running `sudo meson install` will drop permissions and rebuild out of date +targets as the original user, not as root. *(since 1.1.0)* Re-invoking as root will try to guess the user's preferred method for re-running commands as root. The order of precedence is: sudo, doas, pkexec diff --git a/docs/markdown/snippets/meson_install_drop_privs.md b/docs/markdown/snippets/meson_install_drop_privs.md new file mode 100644 index 0000000..e08dfc0 --- /dev/null +++ b/docs/markdown/snippets/meson_install_drop_privs.md @@ -0,0 +1,16 @@ +## `sudo meson install` now drops privileges when rebuilding targets + +It is common to install projects using sudo, which should not affect build +outputs but simply install the results. Unfortunately, since the ninja backend +updates a state file when run, it's not safe to run ninja as root at all. + +It has always been possible to carefully build with: + +``` +ninja && sudo meson install --no-rebuild +``` + +Meson now tries to be extra safe as a general solution. `sudo meson install` +will attempt to rebuild, but has learned to run `ninja` as the original +(pre-sudo or pre-doas) user, ensuring that build outputs are generated/compiled +as non-root. |