Opkg as non-root user?

While the topic of opkg upgrade operations appears to be still a matter of discussion (and rightly so, as I had to learn myself :-)), I need to be able to find out if outdated (upgradable) packages are present.

Short of a ready-made check_apt I want my NRPE monitor to check on this. However, the nrpe process runs as a non-privileged nagios user and so:

 $ opkg update
Collected errors:
 * opkg_conf_load: Could not create lock file /var/lock/opkg.lock: Permission denied.

The same happens for opkg list-upgradable, but of course it'd need to update the package lists first before it can check for upgradable packages.

The upstream (?) version of opkg understands a lock_file option in its configuration file, but the OpenWRT version doesn't seem to have this. I fiddled around with some other commandline switches but for some reason this didn't work, and no error is printed, even with -V3:

$ cat /var/run/nagios/opkg.conf
dest root /var/run/nagios
dest ram /tmp

$ opkg --conf /var/run/nagios/opkg.conf --offline-root /var/run/nagios --dest root; echo $?
0

So, in spite of knowing of the dangers of upgrading, is there a way to run opkg as a non-root user to be able to check for upgradable packages?

Oh, and I don't want to install sudo as I did not want to have any SUID executables in the router. As a workaround, a recurring (root) cron job writes the list of upgradable packages to a file and the NRPE user is then able to check on that file, but I'd rather have this w/o that workaround.

For this particular problem - the inability to write to /var/lock, you can create a new group lock. Add the nagios user to it. Then chown root:lock /var/lock

But you'll still have the problem writing to the files in /var/opkg-lists. You could try a similar technique: chmod g+w lock /var/opkg-lists/*. You might need to make the folder itself group-owned and writeable by group lock as well.

Alternatively, the solution where you just update the package list via an hourly/daily cron job, do the opkg list-upgradeable into a file somewhere and then use your nagios script to cat the output strikes me as the best solution unless you actually need an on-demand update of the package list.

1 Like

Thank you for responding. Yes, adjusting permissions and ownerships of all involved files and directories would have helped indeed. I was hoping for some magic opkg switches that would make tinkering with chown/chmod unecessary, but apperently those magic :woman_mage: switches do not exist in that opk version.

I'll continue to use that cron workaround then. However, for completeness' sake, and if anyone comes across this post and wants to try this:

$ echo 'lock:x:54:nagios' >> /etc/group 
$ chgrp lock /var/lock/
$ chmod g+w  /var/lock/

And, for the package lists

$ chgrp -R lock /var/opkg-lists/
$ chmod g+ws /var/opkg-lists/

For some reason I had one key file in /etc/opkg/keys/ that was not world-readable and so the signature verification failed, causing newly downloaded package lists to be deleted:

$ chmod a+r /etc/opkg/keys/f94b9dd6febac963

With all that in place, both opkg update and opkg list-upgradable works as the nagios user. But, as mentioned above, the cron thingy is way less invasive and more stable, as these permission and ownership changes may get reset on the next sysupgrade.