zfs-utils fails to build with DynamicUsers

[matrizzo]

pikaur -Vq
Pikaur v1.30.3
Pacman v7.0.0 - libalpm v15.0.0 - pyalpm v0.10.6

Prerequisites

DynamicUsers enabled in the Pikaur configuration.

Description:

Building zfs-utils fails with DynamicUsers enabled and complains that it doesn't have permission to run ./configure.

I saw this error for the first time today and I suspect that it's happening because I upgraded to systemd v257 which started using idmapped mounts for CacheDirectory when a unit has DynamicUsers enabled (see here).

systemd uses MOUNT_ATTR_NOEXEC for idmapped mounts (see here). This means that the unit's CacheDirectory will be noexec in the unit's mount namespace even if it's executable on disk. Pikaur builds the package inside the units's CacheDirectory. When makepkg tries to run the configure script which is saved in the cache directory it fails because the directory is mounted noexec.

Turning DynamicUsers off makes the problem go away. I haven't tried with an older systemd version so I'm not completely sure that's the problem but it would make sense.

Attached log:

pikaur -S zfs-utils --verbose --pikaur-debug --dynamic-users
△  debug: main_1000: Setting stdout to utf-8...
△  debug: main_1000: already set - nothing to do
△  debug: main_1000: Setting stderr to utf-8...
△  debug: main_1000: already set - nothing to do
△  debug: main_1000: Pikaur operation found for args ['/usr/bin/pikaur', '-S', 'zfs-utils', '--verbose', '--pikaur-debug', '--dynamic-users']: cli_install_packages
=> sudo --preserve-env=EDITOR -- /usr/bin/pikaur -S zfs-utils --verbose --pikaur-debug --dynamic-users --pikaur-config=/home/mr/.config/pikaur.conf
△  debug: main_0: Setting stdout to utf-8...
△  debug: main_0: already set - nothing to do
△  debug: main_0: Setting stderr to utf-8...
△  debug: main_0: already set - nothing to do
=> /usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -E EDITOR=vim true
△  debug: main_0: Pikaur operation found for args ['/usr/bin/pikaur', '-S', 'zfs-utils', '--verbose', '--pikaur-debug', '--dynamic-users', '--pikaur-config=/home/mr/.config/pikaur.conf']: cli_install_packages
△  debug: install_info_fetcher:
Gonna fetch install info for:
    install_package_names=['zfs-utils']
    not_found_repo_pkgs_names=[]
    pkgbuilds_packagelists={}
    manually_excluded_packages_names=[]
    skip_checkdeps_for_pkgnames=[]

△  debug: install_info_fetcher: Gonna get repo pkgs install info...
Reading repository package databases...
Reading local package database...
△  debug: install_info_fetcher: Checking if '['zfs-utils']' is installable:
=> pacman --color=always --sync zfs-utils --print-format %r/%n
△  debug: install_info_fetcher: Check failed - gonna check it separately:
△  debug: install_info_fetcher: Checking if 'zfs-utils' exists in the repo:
=> pacman --color=always --sync zfs-utils --print-format %r/%n --nodeps --nodeps
△  debug: install_info_fetcher:   'zfs-utils' is NOT found in the repo.
△  debug: install_info_fetcher: Check partially passed - gonna get install infos:
△  debug: install_info_fetcher: gonna get AUR pkgs install info for:
    aur_packages_versionmatchers=['zfs-utils']
    self.aur_updates_install_info=[]
    aur_packages_names_to_versions={'zfs-utils': <VersionMatcher zfs-utils['cmp_default']None>}
△  debug: aur_module: find_aur_packages: zfs-utils uncached
=> GET https://aur.archlinux.org/rpc/?v=5&type=info&arg[]=zfs-utils
△  debug: install_info_fetcher: found AUR pkgs:
    aur_pkg_list=[<AURPackageInfo "zfs-utils" 2.2.7-1>]
not found AUR pkgs:
    not_found_aur_pkgs=[]
△  debug: install_info_fetcher: got AUR pkgs install info: [<AURInstallInfo "zfs-utils" 2.2.7-1 -> 2.2.7-1>]
Resolving AUR dependencies...
△  debug: aur_deps: find_aur_deps: package_names=['zfs-utils']
△  debug: aur_deps: find_aur_deps: result_aur_deps={}
△  debug: install_info_fetcher: get_aur_deps_info: self.aur_deps_relations={}
△  debug: install_info_fetcher: get_aur_deps_info: aur_pkgs={}
△  debug: install_info_fetcher: get_aur_deps_info: [done]
△  debug: install_info_fetcher: get_repo_deps_info: [done]
△  debug: install_info_fetcher: :: marking dependant pkgs...
△  debug: install_info_fetcher:   :: mark_dependant :: get_repo_provided...
△  debug: install_info_fetcher:   :: mark_dependant :: get local pkgs...
△  debug: install_info_fetcher:   :: mark_dependant :: all_requested_pkg_names=[]
△  debug: install_info_fetcher:   :: mark_dependant :: explicit_aur_pkg_names=['zfs-utils']
△  debug: install_info_fetcher:   :: mark_dependant ::  - zfs-utils
△  debug: install_info_fetcher:       :: mark_dependant ::    providing_for=[]
△  debug: install_info_fetcher: == marked dependant pkgs.
△  debug: install_cli: self.install_info.all_install_info_containers=([], [], [], [], [], [], [<AURInstallInfo "zfs-utils" 2.2.7-1 -> 2.2.7-1>], [])

△  AUR package will be installed:
 zfs-utils                             2.2.7-1              -> 2.2.7-1

△  debug: prompt: Gonna get input from user...
△  debug: FileLock: Acquiring /home/mr/.cache/pikaur_prompt_284194.lock...
△  debug: FileLock: Acquired /home/mr/.cache/pikaur_prompt_284194.lock
△  debug: prompt_nolock: Restoring TTY...
△  debug: prompt_nolock: Using standard input reader...
△  Proceed with installation? [Y/n]
△  [v]iew package details   [m]anually select packages
△  [r] show if packages are required by already installed packages
>> y
△  debug: FileLock: Releasing /home/mr/.cache/pikaur_prompt_284194.lock
△  debug: FileLock: Released /home/mr/.cache/pikaur_prompt_284194.lock
△  debug: prompt: Got answer: 'y'
△  debug: install_cli: << GET_PACKAGE_BUILD
△  debug: install_cli: self.pkgbuilds_packagelists={}
△  debug: aur_module: find_aur_packages: zfs-utils cached
△  debug: aur_module: find_aur_packages: zfs-utils cached
△  debug: build: Build dir: /var/cache/pikaur/build/zfs-utils
=> /usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -E EDITOR=vim git -C /var/cache/pikaur/aur_repos/zfs-utils pull origin master
△  debug: aur_module: find_aur_packages: zfs-utils cached
△  debug: build: Build dir: /var/cache/pikaur/build/zfs-utils
△  debug: install_cli: cloned_pkgbuilds={'zfs-utils': <PackageBuild "zfs-utils" ['zfs-utils']>}
△  debug: install_cli: self.package_builds_by_name={'zfs-utils': <PackageBuild "zfs-utils" ['zfs-utils']>}
△  debug: install_cli: self.package_builds_by_provides={}
△  debug: install_cli: >> GET_PACKAGE_BUILD
looking for conflicting AUR packages...
△  debug: prompt: Gonna get input from user...
△  debug: FileLock: Acquiring /home/mr/.cache/pikaur_prompt_531765.lock...
△  debug: FileLock: Acquired /home/mr/.cache/pikaur_prompt_531765.lock
△  debug: prompt_nolock: Restoring TTY...
△  debug: prompt_nolock: Using standard input reader...
Do you want to see build files diff for zfs-utils package? [Y/n] n
△  debug: FileLock: Releasing /home/mr/.cache/pikaur_prompt_531765.lock
△  debug: FileLock: Released /home/mr/.cache/pikaur_prompt_531765.lock
△  debug: prompt: Got answer: 'n'
△  warning: Not showing diff for zfs-utils package (already reviewed)
△  debug: prompt: Gonna get input from user...
△  debug: FileLock: Acquiring /home/mr/.cache/pikaur_prompt_172682.lock...
△  debug: FileLock: Acquired /home/mr/.cache/pikaur_prompt_172682.lock
△  debug: prompt_nolock: Restoring TTY...
△  debug: prompt_nolock: Using standard input reader...
Do you want to edit PKGBUILD for zfs-utils package? [y/N]
△  debug: FileLock: Releasing /home/mr/.cache/pikaur_prompt_172682.lock
△  debug: FileLock: Released /home/mr/.cache/pikaur_prompt_172682.lock
△  debug: prompt: No answer provided - using "N".

△  debug: install_cli: << BUILD PACKAGES
△  debug: install_cli:   Packages to be built: ['zfs-utils']
△  debug: install_cli:   Gonna build PKGBUILDS: {'zfs-utils': <PackageBuild "zfs-utils" ['zfs-utils']>}
△  debug: install_cli:   Gonna build pkgnames: ['zfs-utils']
=> /usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -E EDITOR=vim mkdir -p /var/cache/private/pikaur/build/zfs-utils
=> /usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -E EDITOR=vim cp -r /var/cache/private/pikaur/aur_repos/zfs-utils/PKGBUILD /var/cache/private/pikaur/aur_repos/zfs-utils/zfs.initcpio.hook /var/cache/private/pikaur/aur_repos/zfs-utils/zfs.initcpio.install /var/cache/private/pikaur/aur_repos/zfs-utils/zfs.initcpio.zfsencryptssh.install /var/cache/private/pikaur/aur_repos/zfs-utils/zfs-node-permission.conf /var/cache/private/pikaur/aur_repos/zfs-utils/last_installed.txt /var/cache/private/pikaur/aur_repos/zfs-utils/.SRCINFO /var/cache/private/pikaur/build/zfs-utils
△  debug: FileLock: Acquiring /home/mr/.cache/pikaur_build_deps.lock...
△  debug: FileLock: Acquired /home/mr/.cache/pikaur_build_deps.lock
△  debug: build: << _FILTER_BUILT_DEPS
△  debug: build:   self.all_deps_to_install=[]
△  debug: build:   all_provided_pkgnames={'zfs-utils': 'zfs-utils'}
△  debug: build: >> _FILTER_BUILT_DEPS
△  debug: build: << _FILTER_BUILT_DEPS
△  debug: build:   self.all_deps_to_install=[]
△  debug: build:   all_provided_pkgnames={'zfs-utils': 'zfs-utils'}
△  debug: build: >> _FILTER_BUILT_DEPS
△  debug: pacman: Discarding local cache...
Reading local package database...
△  debug: FileLock: Releasing /home/mr/.cache/pikaur_build_deps.lock
△  debug: FileLock: Released /home/mr/.cache/pikaur_build_deps.lock
=> /usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -p WorkingDirectory=/var/cache/private/pikaur/build/zfs-utils -E EDITOR=vim makepkg --packagelist
△  debug: build: Package names: InteractiveSpawn returned 0:
STDOUT:
/var/cache/private/pikaur/build/zfs-utils/zfs-utils-2.2.7-1-x86_64.pkg.tar
/var/cache/private/pikaur/build/zfs-utils/zfs-utils-debug-2.2.7-1-x86_64.pkg.tar


STDERR:
Running as unit: run-r749cade1ebb04714a73b33cfdee5ed63.service
Finished with result: success
Main processes terminated with: code=exited, status=0/SUCCESS
Service runtime: 1.069s
CPU time consumed: 1.203s
Memory peak: 5.8M (swap: 0B)

△  debug: build: PKGDEST: None
△  debug: build: Full path: /var/cache/private/pikaur/build/zfs-utils/zfs-utils-2.2.7-1-x86_64.pkg.tar, base path: zfs-utils-2.2.7-1-x86_64.pkg.tar
△  debug: build: New package path: /var/cache/pikaur/pkg/zfs-utils-2.2.7-1-x86_64.pkg.tar
△  debug: build: Found debug packages: [PosixPath('/var/cache/private/pikaur/build/zfs-utils/zfs-utils-debug-2.2.7-1-x86_64.pkg.tar')]

△  Starting the build:
=> /usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -p WorkingDirectory=/var/cache/private/pikaur/build/zfs-utils -E EDITOR=vim -E GNUPGHOME=/etc/pikaur.d/gnupg makepkg --force
Running as unit: run-r3775171237ad468698c35a7a96422b19.service
Press ^] three times within 1s to disconnect TTY.
==> Making package: zfs-utils 2.2.7-1 (Sat 14 Dec 2024 01:57:13 PM CET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading zfs-2.2.7.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 32.2M  100 32.2M    0     0  34.2M      0 --:--:-- --:--:-- --:--:--  356M
  -> Downloading zfs-2.2.7.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   836  100   836    0     0   1116      0 --:--:-- --:--:-- --:--:--  1116
  -> Found zfs-node-permission.conf
  -> Found zfs.initcpio.install
  -> Found zfs.initcpio.hook
  -> Found zfs.initcpio.zfsencryptssh.install
==> Validating source files with sha256sums...
    zfs-2.2.7.tar.gz ... Passed
    zfs-2.2.7.tar.gz.asc ... Skipped
    zfs-node-permission.conf ... Passed
    zfs.initcpio.install ... Passed
    zfs.initcpio.hook ... Passed
    zfs.initcpio.zfsencryptssh.install ... Passed
==> Validating source files with b2sums...
    zfs-2.2.7.tar.gz ... Passed
    zfs-2.2.7.tar.gz.asc ... Skipped
    zfs-node-permission.conf ... Passed
    zfs.initcpio.install ... Passed
    zfs.initcpio.hook ... Passed
    zfs.initcpio.zfsencryptssh.install ... Passed
==> Verifying source file signatures with gpg...
    zfs-2.2.7.tar.gz ... Passed
==> Extracting sources...
  -> Extracting zfs-2.2.7.tar.gz with bsdtar
==> Starting prepare()...
configure.ac: warning: AM_GNU_GETTEXT is used, but not AM_GNU_GETTEXT_VERSION or AM_GNU_GETTEXT_REQUIRE_VERSION
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'config'.
libtoolize: copying file 'config/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'config'.
libtoolize: copying file 'config/libtool.m4'
libtoolize: copying file 'config/ltoptions.m4'
libtoolize: copying file 'config/ltsugar.m4'
libtoolize: copying file 'config/ltversion.m4'
libtoolize: copying file 'config/lt~obsolete.m4'
configure.ac:49: installing 'config/compile'
configure.ac:43: installing 'config/missing'
Makefile.am: installing 'config/depcomp'
==> Starting build()...
/var/cache/private/pikaur/build/zfs-utils/PKGBUILD: line 53: ./configure: Permission denied
==> ERROR: A failure occurred in build().
    Aborting...
Finished with result: exit-code
Main processes terminated with: code=exited, status=4/NOPERMISSION
Service runtime: 15.844s
CPU time consumed: 13.513s
Memory peak: 154.6M (swap: 0B)
IP traffic received: 32.4M sent: 38.4K
IO bytes written: 110.4M

Command '/usr/sbin/systemd-run --service-type=oneshot --pipe --wait --pty -p DynamicUser=yes -p CacheDirectory=pikaur -E HOME=/tmp -p WorkingDirectory=/var/cache/private/pikaur/build/zfs-utils -E EDITOR=vim -E GNUPGHOME=/etc/pikaur.d/gnupg makepkg --force' failed to execute.
△  debug: prompt: Gonna get input from user...
△  debug: FileLock: Acquiring /home/mr/.cache/pikaur_prompt_136072.lock...
△  debug: FileLock: Acquired /home/mr/.cache/pikaur_prompt_136072.lock
△  debug: prompt_nolock: Restoring TTY...
△  debug: prompt_nolock: Using standard input reader...
△  Try recovering?
[R] retry build
[p] PGP check skip
[c] checksums skip
[f] skip 'check()' function of PKGBUILD
[n] skip 'prepare()' function of PKGBUILD
[i] ignore architecture
[d] delete build dir and try again
[e] edit PKGBUILD
------------------------
[s] skip building this package
[a] abort building all the packages
> a
△  debug: FileLock: Releasing /home/mr/.cache/pikaur_prompt_136072.lock
△  debug: FileLock: Released /home/mr/.cache/pikaur_prompt_136072.lock
△  debug: prompt: Got answer: 'a'
△  debug: main_0: Restoring stdout...
△  debug: main_0: nothing to do
△  debug: main_0: Restoring stderr...
△  debug: main_0: nothing to do
△  debug: main_1000: Restoring stdout...
△  debug: main_1000: nothing to do
△  debug: main_1000: Restoring stderr...
△  debug: main_1000: nothing to do

[actionless]

keeping into consideration that

1. the feature have number of known problems: root / sudo / systemd dynamic users

2. and was contributed by the third-party Leverage systemd dynamic users to run pikaur as root #41, but not maintained anymore

i'll probably just disable it in 2.0 version

[matrizzo]

Makes sense. Besides, a malicious PKGBUILD could also backdoor the files that will be installed on the system even if it runs inside a sandbox so I would argue that dynamic users don't offer that much protection.

[actionless]

ok, then mb to prepare the userbase for such migration, i'll set that option as deprecated, so it would still attempt to work, but print a clear warning about future disabling