Meta: Build filesystem without root privileges

[bcoles]

There has been some discussion (#5644) on working around the requirement for root privileges (which requires entering a password for sudo) every time we build the filesystem.

Currently root privileges are required due to various privileged operations inside build-root-filesystem.sh, such as setting a file as root-owned or set-uid root. For example:

serenity/Meta/build-root-filesystem.sh

Lines 47 to 67 in 31364da

	chown 0:$wheel_gid mnt/bin/su
	chown 0:$wheel_gid mnt/bin/passwd
	chown 0:$phys_gid mnt/bin/keymap
	chown 0:$phys_gid mnt/bin/shutdown
	chown 0:$phys_gid mnt/bin/reboot
	chown 0:0 mnt/boot/Kernel
	chown 0:0 mnt/res/kernel.map
	chmod 0400 mnt/res/kernel.map
	chmod 0400 mnt/boot/Kernel
	chmod 4750 mnt/bin/su
	chmod 4755 mnt/bin/passwd
	chmod 4755 mnt/bin/ping
	chmod 4755 mnt/bin/traceroute
	chmod 4750 mnt/bin/reboot
	chmod 4750 mnt/bin/shutdown
	chmod 4750 mnt/bin/keymap
	chown 0:$utmp_gid mnt/bin/utmpupdate
	chmod 2755 mnt/bin/utmpupdate
	chmod 600 mnt/etc/shadow
	chmod 755 mnt/res/devel/templates/*.postcreate
	echo "done"

This isn't ideal. Constantly prompting for credentials is annoying. And repetitively performing privileged operations (such as chown and chmod set-uid root) on user-owned files doesn't sit well with me either.

If someone is interested in resolving the situation properly, the requirement for sudo could be removed by instead building the filesystem inside a user namespace where fake "root" privileges can be granted (unshare -r).

This is significantly more secure than using sudo as no privileged operations are ever performed. Real root privileges are never granted or required.

The obvious disadvantage to this approach is that the underlying operating system must support user namespaces. As such, any implementation should also support falling back to using sudo if namespaces aren't available.

[Hendiadyoin1]

well there is the genext2fs -or whatever- way, but it apperently does not do the setuid (etc.) stuff and with that neither your sync-local.sh works and you can't use su...

[bcoles]

well there is the genext2fs -or whatever- way, but it apperently does not do the setuid (etc.) stuff and with that neither your sync-local.sh works and you can't use su...

We're already using genext2fs which requires root privileges to set root ownership and the set-uid bit, hence the requirement for sudo. Building the filesystem inside a namespaces removes this requirement for systems which support namespaces.

[supercomputer7]

Just from curiosity, isn't fakeroot utility supposed to help build packages, which is similar to what we want to do here?
I'm not sure yet how it can be done with fakeroot, maybe we need to fundamentally change how the script works, maybe I'm totally wrong about this.

[supercomputer7]

We could also entirely remove the need of loopback mounting, by using debugfs to manipulate a disk image directly.

[codebutler]

For Mac users: The version of genext2fs in homebrew was very old and didn't support the command line flags used in the Serenity build script. I just updated this to the latest version: Homebrew/homebrew-core#76862 It's much less hassle than dealing with fuse.

Also, I tried using fakeroot for setting permissions but it doesn't seem to work with the latest macos. 🤔

[kissen]

On Debian 10 I am able to build the SerenityOS image with a combination of fakeroot and genext2fs. As basic support for genext2fs is already available (#6987), this was as easy as replacing the call to sudo with fakeroot: kissen@bbb31f9.

Not sure about other operating systems and whether this should be the default/whether it should be configurable.

[LucasChollet]

Any chance to see kissen/serenity@bbb31f9 merged?

Works out of the box for me.

[bcoles]

#6987 introduced genext2fs into the build script.

#11224 introduced fakeroot into the build script.

The filesystem can now be built without root privileges.