google / bazel_rules_install

Bazel rules for installing build results. Similar to `make install`.
Apache License 2.0
37 stars 14 forks source link

Clarification: what happens when running as root ? #16

Closed hzeller closed 4 years ago

hzeller commented 4 years ago

For installing binaries in system directories, one has to run the installer as root

sudo bazel run :install -c opt /usr/local/bin

Bazel does all kinds of internal caching of object files and writes status files etc. Will this mess up the ~/.cache/bazel files, or will this 'just work', as then bazel would create these artifacts in ~root/.cache/bazel. I suspect the latter; and while this is duplicate of build work as different user, this is probably an acceptable solution for now.

(in a typical make situation, one would run make to build the artifacts, then sudo make install to just do the copying. Bazel is a lot more complex, so I want to make sure that this will work as intended).

OR: is it currently not recommended running bazel as root and wait for the When needed asks for write access checkbox to be implemented ?

Either way, it is probably good to clarify that in the README.

bttk commented 4 years ago

I think that ultimately sudo should be supported by installer itself (see #4)

This could be tried automatically or with something like:

sudo bazel run :install -c opt -- --sudo /usr/local/bin
fangism commented 4 years ago

As a long time GNU auto-tools user (and package maintainer in a past life), I'm used to:

I would never recommend sudo-ing the entire build-and-install workflow in one step, for security reasons.

hzeller commented 4 years ago

I agree with you David. Unfortunately, the way bazel works it will look at the symbolic build-links (bazel-out/ etc), point it to your cache directory ~/.cache/bazel and then to its thing. So even if we do bazel build //... (which then builds it with you as a user) and then do sudo bazel run :install ... it will run as root, finding that it hasn't built anything in ~root/.cache/bazel yet, proceeds to build it (as root) and then does the install. So the way bazel works gets into the way of doing a safe install procedure.

I wonder if bazel can be tweaked to, even if invoked with sudo bazel run :install, look at the current build links (and realized that it runs as a different user and goes into a 'read only mode') to do the safe install of the build artifact.

bttk commented 4 years ago

This is now solved with release 0.3

https://github.com/google/bazel_rules_install/releases/tag/0.3