summaryrefslogtreecommitdiff
path: root/dh_testroot
blob: 042331b6185fe296ef86f6b0fd2e2fd1544fd544 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/perl

=encoding UTF-8

=head1 NAME

dh_testroot - ensure that a package is built with necessary level of root permissions

=head1 SYNOPSIS

B<dh_testroot> [S<I<debhelper options>>]

=head1 DESCRIPTION

B<dh_testroot> is used to determine if the target is being run with
sufficient access to (fake)root.

The definition of sufficient access depends on whether the builder
(the tool invoking the F<debian/rules> target) supports the
I<Rules-Requires-Root> (R³) field.  If the builder supports R³, then
it will set the environment variable I<DEB_RULES_REQUIRES_ROOT> and
B<dh_testroot> will validate that the builder followed the minimum
requirements for the given value of I<DEB_RULES_REQUIRES_ROOT>.

If the builder does not support I<Rules-Requires-Root>, then it will
not set the I<DEB_RULES_REQUIRES_ROOT> environment variable.  This
will in turn make B<dh_testroot> (and the rest of debhelper) fall back
to assuming that (fake)root is implied.

The following is a summary of how B<dh_testroot> behaves based on the
I<DEB_RULES_REQUIRES_ROOT> environment variable (leading and trailing
whitespace in the variable is ignored).

=over 4

=item -

If unset, or set to C<binary-targets>, then B<dh_testroot> asserts
that it is run as root or under L<fakeroot(1)>.

=item -

If set to C<no>, then B<dh_testroot> returns successfully (without
performing any additional checks).

=item -

If set to any other value than the above, then B<dh_testroot> asserts
that it is either run as root (or under L<fakeroot(1)>) or the builder
has provided the B<DEB_GAIN_ROOT_CMD> environment variable (e.g. via
dpkg-buildpackage -r).

=back

Please note that B<dh_testroot> does I<not> read the
I<Rules-Requires-Root> field.  Which implies that B<dh_testroot> may
produce incorrect result if the builder lies in
I<DEB_RULES_REQUIRES_ROOT>.  On the flip side, it also enables things
like testing for what will happen when I<DEB_RULES_REQUIRES_ROOT> is
set to a given value.

=cut

use strict;
use warnings;
use Debian::Debhelper::Dh_Lib;

our $VERSION = DH_BUILTIN_VERSION;

inhibit_log();

my $requirements = Debian::Debhelper::Dh_Lib::root_requirements();

if (! -f 'debian/control') {
	warning('dh_testroot must be called from the source root');
}

# By declaration; nothing requires root and this command must be a no-op in that case.
exit 0 if $requirements eq 'none';
# The builder /can/ choose to ignore the requirements and just call us as root.
# If so, we do not bother checking the requirements any further.
exit 0 if $< == 0;
if ($requirements eq 'legacy-root') {
	error("You must run this as root (or use fakeroot).");
} else {
	my $env = $ENV{DEB_GAIN_ROOT_CMD};
	error("Package needs targeted root but builder has not provided a gain-root command via \${DEB_GAIN_ROOT_CMD}")
		if not $env;
}

=head1 SEE ALSO

L<debhelper(7)>

This program is a part of debhelper.

=head1 AUTHOR

Joey Hess <joeyh@debian.org>

=cut