Installing as non-root user

[camjac251]

I am on a shared Debian 8 system with a Chrooted user. I wanted to be able to install makemkvcon so I can use the command line from my jailed user but have been getting some errors.

I configured makemkv-oss with "./configure --prefix=$HOME --disable-gui" and then ran make && make install. Afterward I'd open the makemkv-bin folder and change the prefix in Makefile to my full $HOME path, then run make && make install. When I tried to use makemkvcon though I got this error "./makemkvcon: error while loading shared libraries: libmakemkv.so.1: cannot open shared object file: No such file or directory"

libmakemkv.so.1 did exist in my user's home folder under ~/lib but it wasn't detected. Also I must add that ldconfig didn't work when compiling makemkv-oss, so I removed the line and ran make && make install again without issue.

I'm guessing makemkvcon has it's shared libraries hardcoded in, so it'll always look in /usr/lib instead of ~/lib or ~/usr/lib?

Could this be changed? I'd very much like to use it in this environment.

[sebekk23]

Bump - it will be great option.

[Woodstock]

I would think the biggest obstacle to installing as a non-root user would be the same as non-admin users on Windows and OS X.... permissions when talking to the hardware. MakeMKV needs to talk directly to the drive for some operations, and that is normally prohibited to non-root users, for obvious security reasons.

[camjac251]

I would think the biggest obstacle to installing as a non-root user would be the same as non-admin users on Windows and OS X.... permissions when talking to the hardware. MakeMKV needs to talk directly to the drive for some operations, and that is normally prohibited to non-root users, for obvious security reasons.

You can also have it use a directory instead or an iso, which makes it easier for me since I could run a command like this

Code: Select all

makemkvcon mkv --progress=-same file:"/folder/name/something" all "/folder/name/something"

[camjac251]

Will it become possible one day?

[fallenguru]

It's possible now, from memory:

1) oss part
Call configure with --prefix=$HOME.
Comment out the call to ldconfig in the Makefile (it would require root).
$ make
$ make install
$ export LD_LIBRARY_PATH="$HOME/lib:$LD_LIBRARY_PATH"

2) closed part
Edit the Makefile to say PREFIX=$HOME instead of PREFIX=/usr (it's close to the top).
$ make
$ make install

3) misc stuff
You probably want $HOME/bin in your PATH, the right place to do that is distro-dependent.
Since you can't install the libraries to a system location nor tell ld about it, LD_LIBRARY_PATH must contain $HOME/lib for the binaries to work. In theory, it's an environment variable like PATH, in practice setting it permanently can be a challenge, as it's sometimes *unset* for security reasons, e.g. for X sessions of Debian based distros. You can always run ' export LD_LIBRARY_PATH="$HOME/lib:$LD_LIBRARY_PATH" ' again, if it isn't there (check using env).

[camjac251]

I have a working script now for installing makemkvcon on linux through a user (requiring no sudo access)

It is based on the script by mdPlusPlus who based their script on thisisaname
Credited you two in the script itself as well. Also credited you fallenguru. Without your help this wouldn't have been possible.

If anyone would like to use this, it's very useful as it can be used to automatically install (or reinstall if updating) makemkvcon on linux with a regular user.

install_makemkv.sh

Code: Select all

#!/bin/bash
# set -x #Uncomment to see the commands being executed
##Based on https://gist.github.com/mdPlusPlus/b110cad4cdd920950c10dc6b5bce4dc6
##Original from here: https://www.makemkv.com/forum2/viewtopic.php?f=3&t=5266&start=30#p56468
##Credit to mdPlusPlus and thisisaname for scripts, fallenguru for non root steps.
build_dir="$HOME/.tmp/build-makemkv"
build_log="$HOME/.tmp/makemkv_install.log" # Keep this outside of your build_dir as it gets removed at the end of the script.
url_ffmpeg_releases="https://www.ffmpeg.org/releases/"
url_makemkv="http://makemkv.com/download/"
url_makemkv_serial="http://www.makemkv.com/forum2/viewtopic.php?f=5&t=1053"
serial_makemkv=$(curl -s4 --url ""${url_makemkv_serial}"" | grep -oP 'T-[\w\d@]{66}')
vers_ffmpeg=$(curl -s4 "${url_ffmpeg_releases}" | egrep -o 'ffmpeg-([0-9]{1,}\.)+[0-9]{1,}' | sort -t. -rn | head -n 1)
vers_makemkv=$(curl -s4 "${url_makemkv}" | grep -oP '[0-9]+\.[0-9]+\.[0-9]+' | head -n 1)

if [ -z "$url_ffmpeg_releases" ] || [ -z "$url_makemkv" ] || [ -z "$url_makemkv_serial" ] || [ -z "$serial_makemkv" ] || [ -z "$vers_ffmpeg" ] || [ -z "$vers_makemkv" ]; then
    echo "ERR: Uh-oh, looks like one of the URLs has changed and the curls were no good. Aborting..." | tee -a "$build_log"
    exit
fi

echo "INFO: See $build_log for details...."
mkdir -p ${build_dir} | tee -a "$build_log"

if [ ! -d "$build_dir" ]; then
    echo "ERR: Seems like you don't have permission to .tmp. Aborting.." | tee -a "$build_log" 
    exit
fi

cd ${build_dir}
echo "INFO: Downloading latest ffmpeg and makemkv from source." | tee -a "$build_log"
wget "${url_ffmpeg_releases}${vers_ffmpeg}.tar.bz2" -O "${vers_ffmpeg}.tar.bz2" | tee -a "$build_log"
wget "${url_makemkv}makemkv-bin-${vers_makemkv}.tar.gz" -O "makemkv-bin-${vers_makemkv}.tar.gz" | tee -a "$build_log"
wget "${url_makemkv}makemkv-oss-${vers_makemkv}.tar.gz" -O "makemkv-oss-${vers_makemkv}.tar.gz" | tee -a "$build_log"

echo "INFO: Extracting archives." | tee -a "$build_log"
tar xvf ${vers_ffmpeg}.tar.bz2 | tee -a "$build_log"
tar xvf makemkv-bin-${vers_makemkv}.tar.gz | tee -a "$build_log"
tar xvf makemkv-oss-${vers_makemkv}.tar.gz | tee -a "$build_log"

echo "INFO: Building ffmpeg." | tee -a "$build_log"
cd ${build_dir}/${vers_ffmpeg}
PKG_CONFIG_PATH="${build_dir}/ffmpeg_build/lib/pkgconfig"
echo "INFO: Configuring ffmpeg." | tee -a "$build_log"
./configure --prefix="${build_dir}/ffmpeg_build" --extra-cflags="-I${build_dir}/ffmpeg_build/include" --extra-ldflags="-L${build_dir}/ffmpeg_build/lib" --enable-static --disable-shared --enable-pic | tee -a "$build_log"
echo "INFO: Installing ffmpeg." | tee -a "$build_log"
make -j `getconf _NPROCESSORS_ONLN` install | tee -a "$build_log"
 
echo "INFO: Building makemkv-oss." | tee -a "$build_log"
cd ${build_dir}/makemkv-oss-${vers_makemkv}
sed -i '/ldconfig/d' Makefile.in
PKG_CONFIG_PATH={build_dir}ffmpeg/lib/pkgconfig ./configure --prefix=$HOME --disable-gui
echo "INFO: Making makemkv-oss." | tee -a "$build_log"
make -j `getconf _NPROCESSORS_ONLN` | tee -a "$build_log"
echo "INFO: Installing makemkv-oss." | tee -a "$build_log"
make -j `getconf _NPROCESSORS_ONLN` install | tee -a "$build_log"
export LD_LIBRARY_PATH="$HOME/lib:$LD_LIBRARY_PATH"
cd ${build_dir}/makemkv-bin-${vers_makemkv}
echo "Auto Accepting License Agreement" | tee -a "$build_log"
mkdir tmp
echo -n accepted >tmp/eula_accepted
echo "INFO: Making makemkv-bin." | tee -a "$build_log"
sed -i "s|/usr|${HOME}|" Makefile
make -j `getconf _NPROCESSORS_ONLN` | tee -a "$build_log" 
echo "INFO: Installing makemkv-bin." | tee -a "$build_log"
make -j `getconf _NPROCESSORS_ONLN` install | tee -a "$build_log"

echo "INFO: Testing makemkv binary." | tee -a "$build_log"
if [ ! -f "$HOME/bin/makemkvcon" ]; then
    echo "ERR: Missing $HOME/bin/makemkvcon, better check the logs. Aborting.." | tee -a "$build_log"   
    exit
fi

echo "INFO: Registering MakeMKV with latest beta key for you." | tee -a "$build_log"   
echo "INFO: Current key $serial_makemkv" | tee -a "$build_log"   
mkdir -p $HOME/.MakeMKV/
echo "app_Key = \"$serial_makemkv\"" > $HOME/.MakeMKV/settings.conf
cd $HOME/.tmp
echo "INFO: Cleaning up build directory" | tee -a "$build_log"
rm -rf "$build_dir"
echo "If you haven't already, make sure that these two lines are in your .bashrc file.
LD_LIBRARY_PATH=$HOME/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH"
echo "INFO: Exiting."
exit

[basvdw]

Apologies for necroposting, I'm not a regular here so don't know if it's appropriate, but I updated the script a bit to fit the needs of someone at Ultra.cc/UltraSeedbox.
It's heavily based on the script posted here by camjac251, I appreciate you and everyone else. Mine does essentially the same thing with a few small changes:

• Added NASM as a dependency since FFmpeg needs it and it doesn't come preinstalled at Ultra.cc
• Changed the build directory to /tmp/makemkv
• Changed the prefix to $HOME/.local
• Adds $LD_LIBRARY_PATH and $PATH insertions to .bashrc if they don't exist yet (kind of hacky but it's useful to us)
• Changed cleanup of build directory to be on exit
• Changed curl commands to follow redirects
• Removed the build log since we don't really need it, you can just redirect the output of the script itself if you do

I'm hosting it at https://get.bas.sh/install-makemkv.sh so you can easily run it with a one-liner (or download it first if you want to read it before running it).

Code: Select all

curl -fsSL https://get.bas.sh/install-makemkv.sh | bash

and here's the script in full:

Code: Select all

#!/usr/bin/env bash
#set -x
set -e

### Based on https://forum.makemkv.com/forum/viewtopic.php?p=62349#p62349

p() {
    echo -e "\n==> $@\n"
}

build_dir=/tmp/makemkv

cleanup() {
    p 'Cleaning up build directory...'
    rm -rf $build_dir
}

trap cleanup EXIT

PREFIX=$HOME/.local
export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PKG_CONFIG_PATH
export LD_LIBRARY_PATH=$PREFIX/lib:$LD_LIBRARY_PATH
export PATH=$PREFIX/bin:$PATH

nasm_url="https://www.nasm.us"
ffmpeg_url="https://www.ffmpeg.org/releases"
makemkv_url="http://makemkv.com/download"
makemkv_serial_url="http://www.makemkv.com/forum2/viewtopic.php?f=5&t=1053"

p 'Checking latest versions'
nasm_version=$(curl -fsSL $nasm_url | grep -oP '\d+\.\d+\.\d+' | head -n1)
echo "nasm $nasm_version"
ffmpeg_version=$(curl -fsSL $ffmpeg_url | grep -oP 'ffmpeg-(\d+\.)+\d+' | sort -V | tail -n1)
echo $ffmpeg_version
makemkv_version=$(curl -fsSL $makemkv_url | grep -oP '\d+\.\d+\.\d+' | head -n1)
echo "MakeMKV $makemkv_version"
makemkv_serial=$(curl -fsSL $makemkv_serial_url | grep -oP 'T-[\w\d@]{66}')
echo "MakeMKV key: $makemkv_serial"

if [[ -z $nasm_version ]] || [[ -z $ffmpeg_version ]] || [[ -z $makemkv_version ]] || [[ -z $makemkv_serial ]]; then
    p 'At least one of the version checks failed, aborting'
    exit
fi

p "Compiling NASM, MakeMKV, and FFmpeg in $build_dir"
mkdir -p $build_dir && cd $build_dir

p 'Downloading NASM, ffmpeg, and makemkv sources'
wget --no-verbose "$nasm_url/pub/nasm/releasebuilds/$nasm_version/nasm-$nasm_version.tar.gz" \
    "$ffmpeg_url/$ffmpeg_version.tar.bz2" \
    "$makemkv_url/makemkv-bin-$makemkv_version.tar.gz" \
    "$makemkv_url/makemkv-oss-$makemkv_version.tar.gz"

p 'Extracting archives'
echo -n 'nasm: ' && tar xf nasm-$nasm_version.tar.gz --totals
echo -n 'ffmpeg: ' && tar xf $ffmpeg_version.tar.bz2 --totals
echo -n 'makemkv-oss: ' && tar xf makemkv-bin-$makemkv_version.tar.gz --totals
echo -n 'makemkv-bin: ' && tar xf makemkv-oss-$makemkv_version.tar.gz --totals

p 'Configuring NASM'
cd $build_dir/nasm-$nasm_version
./autogen.sh
./configure --prefix=$PREFIX
p 'Compiling NASM'
make -j
p 'Installing NASM'
make install

p 'Configuring FFmpeg'
cd $build_dir/$ffmpeg_version
./configure --prefix=$PREFIX --extra-cflags="-I$PREFIX/include" --extra-ldflags="-L$PREFIX/lib" --enable-static --enable-pic
p 'Compiling FFmpeg'
make -j
p 'Installing FFmpeg'
make install

p 'Configuring makemkv-oss'
cd $build_dir/makemkv-oss-$makemkv_version
sed -i '/ldconfig/d' Makefile.in
./configure --prefix=$PREFIX --disable-gui
p 'Compiling makemkv-oss'
make -j
p 'Installing makemkv-oss'
make install

p 'Compiling makemkv-bin'
cd $build_dir/makemkv-bin-$makemkv_version
mkdir tmp
echo -n "accepted" > tmp/eula_accepted
sed -i "s|/usr|$HOME/.local|" Makefile
make -j > /dev/null
p 'Installing makemkv-bin'
make install

p 'Registering MakeMKV with latest beta key'
mkdir -p $HOME/.MakeMKV
echo "app_Key = \"$makemkv_serial\"" > $HOME/.MakeMKV/settings.conf

if ! grep -qE '\$HOME/.local/lib(:|"$|$)' $HOME/.bashrc; then
    p 'Adding $LD_LIBRARY_PATH insertion to .bashrc'
    echo 'export LD_LIBRARY_PATH=$HOME/.local/lib:$LD_LIBRARY_PATH' >> $HOME/.bashrc
fi

if ! grep -qE '\$HOME/.local/bin(:|"$|$)' $HOME/.bashrc; then
    p 'Adding $PATH insertion to .bashrc'
    echo 'export PATH=$HOME/.local/bin:$PATH' >> $HOME/.bashrc
fi

p 'Restart your SSH session or run "source ~/.bashrc" to be able to run makemkvcon (if everything went well, which I sure hope it did). Enjoy! :)'

[dbgt7]

Apologies for necroposting, I'm not a regular here so don't know if it's appropriate, but I updated the script a bit to fit the needs of someone at Ultra.cc/UltraSeedbox.
It's heavily based on the script posted here by camjac251, I appreciate you and everyone else. Mine does essentially the same thing with a few small changes:

• Added NASM as a dependency since FFmpeg needs it and it doesn't come preinstalled at Ultra.cc
• Changed the build directory to /tmp/makemkv
• Changed the prefix to $HOME/.local
• Adds $LD_LIBRARY_PATH and $PATH insertions to .bashrc if they don't exist yet (kind of hacky but it's useful to us)
• Changed cleanup of build directory to be on exit
• Changed curl commands to follow redirects
• Removed the build log since we don't really need it, you can just redirect the output of the script itself if you do

I'm hosting it at https://get.bas.sh/install-makemkv.sh so you can easily run it with a one-liner (or download it first if you want to read it before running it).

Code: Select all

curl -fsSL https://get.bas.sh/install-makemkv.sh | bash

and here's the script in full:

Code: Select all

#!/usr/bin/env bash
#set -x
set -e

### Based on https://forum.makemkv.com/forum/viewtopic.php?p=62349#p62349

p() {
    echo -e "\n==> $@\n"
}

build_dir=/tmp/makemkv

cleanup() {
    p 'Cleaning up build directory...'
    rm -rf $build_dir
}

trap cleanup EXIT

PREFIX=$HOME/.local
export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PKG_CONFIG_PATH
export LD_LIBRARY_PATH=$PREFIX/lib:$LD_LIBRARY_PATH
export PATH=$PREFIX/bin:$PATH

nasm_url="https://www.nasm.us"
ffmpeg_url="https://www.ffmpeg.org/releases"
makemkv_url="http://makemkv.com/download"
makemkv_serial_url="http://www.makemkv.com/forum2/viewtopic.php?f=5&t=1053"

p 'Checking latest versions'
nasm_version=$(curl -fsSL $nasm_url | grep -oP '\d+\.\d+\.\d+' | head -n1)
echo "nasm $nasm_version"
ffmpeg_version=$(curl -fsSL $ffmpeg_url | grep -oP 'ffmpeg-(\d+\.)+\d+' | sort -V | tail -n1)
echo $ffmpeg_version
makemkv_version=$(curl -fsSL $makemkv_url | grep -oP '\d+\.\d+\.\d+' | head -n1)
echo "MakeMKV $makemkv_version"
makemkv_serial=$(curl -fsSL $makemkv_serial_url | grep -oP 'T-[\w\d@]{66}')
echo "MakeMKV key: $makemkv_serial"

if [[ -z $nasm_version ]] || [[ -z $ffmpeg_version ]] || [[ -z $makemkv_version ]] || [[ -z $makemkv_serial ]]; then
    p 'At least one of the version checks failed, aborting'
    exit
fi

p "Compiling NASM, MakeMKV, and FFmpeg in $build_dir"
mkdir -p $build_dir && cd $build_dir

p 'Downloading NASM, ffmpeg, and makemkv sources'
wget --no-verbose "$nasm_url/pub/nasm/releasebuilds/$nasm_version/nasm-$nasm_version.tar.gz" \
    "$ffmpeg_url/$ffmpeg_version.tar.bz2" \
    "$makemkv_url/makemkv-bin-$makemkv_version.tar.gz" \
    "$makemkv_url/makemkv-oss-$makemkv_version.tar.gz"

p 'Extracting archives'
echo -n 'nasm: ' && tar xf nasm-$nasm_version.tar.gz --totals
echo -n 'ffmpeg: ' && tar xf $ffmpeg_version.tar.bz2 --totals
echo -n 'makemkv-oss: ' && tar xf makemkv-bin-$makemkv_version.tar.gz --totals
echo -n 'makemkv-bin: ' && tar xf makemkv-oss-$makemkv_version.tar.gz --totals

p 'Configuring NASM'
cd $build_dir/nasm-$nasm_version
./autogen.sh
./configure --prefix=$PREFIX
p 'Compiling NASM'
make -j
p 'Installing NASM'
make install

p 'Configuring FFmpeg'
cd $build_dir/$ffmpeg_version
./configure --prefix=$PREFIX --extra-cflags="-I$PREFIX/include" --extra-ldflags="-L$PREFIX/lib" --enable-static --enable-pic
p 'Compiling FFmpeg'
make -j
p 'Installing FFmpeg'
make install

p 'Configuring makemkv-oss'
cd $build_dir/makemkv-oss-$makemkv_version
sed -i '/ldconfig/d' Makefile.in
./configure --prefix=$PREFIX --disable-gui
p 'Compiling makemkv-oss'
make -j
p 'Installing makemkv-oss'
make install

p 'Compiling makemkv-bin'
cd $build_dir/makemkv-bin-$makemkv_version
mkdir tmp
echo -n "accepted" > tmp/eula_accepted
sed -i "s|/usr|$HOME/.local|" Makefile
make -j > /dev/null
p 'Installing makemkv-bin'
make install

p 'Registering MakeMKV with latest beta key'
mkdir -p $HOME/.MakeMKV
echo "app_Key = \"$makemkv_serial\"" > $HOME/.MakeMKV/settings.conf

if ! grep -qE '\$HOME/.local/lib(:|"$|$)' $HOME/.bashrc; then
    p 'Adding $LD_LIBRARY_PATH insertion to .bashrc'
    echo 'export LD_LIBRARY_PATH=$HOME/.local/lib:$LD_LIBRARY_PATH' >> $HOME/.bashrc
fi

if ! grep -qE '\$HOME/.local/bin(:|"$|$)' $HOME/.bashrc; then
    p 'Adding $PATH insertion to .bashrc'
    echo 'export PATH=$HOME/.local/bin:$PATH' >> $HOME/.bashrc
fi

p 'Restart your SSH session or run "source ~/.bashrc" to be able to run makemkvcon (if everything went well, which I sure hope it did). Enjoy! :)'

Just wanted to let you know that your script worked wonders. Thanks a lot! I used it to install makemkv on hostby.design seedbox. Im really grateful

[FeRDNYC]

It's possible now, from memory:

1) oss part
Call configure with --prefix=$HOME.
Comment out the call to ldconfig in the Makefile (it would require root).

Yeah, I really wish the makemkv devs would remove that, or make it conditional on having UID 0 when 'make install' is run. Despite the assertions in their code, it's NOT at all necessary to install makemkv as root.

(I also wish they'd install the shared libraries with the executable bit set, as is standard practice for ELF binary objects.)

$ make
$ make install

$ export LD_LIBRARY_PATH="$HOME/lib:$LD_LIBRARY_PATH"

That last part isn't even really necessary, if you build with system dependencies for the shared libraries. Because, it turns out they don't depend on each other at all. Nor does the makemkv executable depend on any of the shared libraries built from makemkv-oss. The only thing that does depend on libmakemkv.so.1 and libdriveio.so.0 is makemkvcon.

Sooo...

2) closed part
Edit the Makefile to say PREFIX=$HOME instead of PREFIX=/usr (it's close to the top).
$ make
$ make install

Makefile variables can be overridden by commandline args, so easier than editing is to just run:

Code: Select all

make PREFIX=$HOME
make install PREFIX=$HOME

Now, with makemkvcon installed in $HOME/bin and the libs presumably installed in $HOME/lib, without setting LD_LIBRARY_PATH makemkvcon has no way of locating the libs.

RUNPATH to the rescue. Using the patchelf utility, we can add an after-the-fact RUNPATH to the pre-compiled makemkvcon binary so it'll be able to find the libs.

Code: Select all

patchelf --add-rpath '$ORIGIN/../lib' $HOME/bin/makemkvcon

et voila:

Code: Select all

$ ldd $HOME/bin/makemkvcon |grep home
	libmakemkv.so.1 => $HOME/bin/../lib/libmakemkv.so.1 (0x00007f43124f6000)
	libdriveio.so.0 => $HOME/bin/../lib/libdriveio.so.0 (0x00007f43124ec000)

This won't work if any of the dependency libraries (like ffmpeg's libavcodec or libavutil — required by libmakemkv.so.1 — or makemkv's libQt5*.so.5 dependencies) are installed in non-system locations outside of ldconfig's control. Although, if they are, it should still be solvable by patching a RUNPATH into either libmakemkv.so.1 or makemkv the same way.

For libmakemkv.so.1, if its other dependencies are in the same library directory, you can just tell it to look there:

Code: Select all

patchelf --add-rpath '$ORIGIN' $HOME/lib/libmakemkv.so.1

With makemkv, you'd want to use the same RUNPATH we originally used for makemkvcon, above — assuming the libraries it needs to access are also in $HOME/lib. If you have Qt in some downloadable-install location like $HOME/Qt/5.15.2, you'd want this:

Code: Select all

patchelf --add-rpath '$ORIGIN/../Qt/5.15.2/gcc_64/lib' $HOME/bin/makemkv

If your distro doesn't automatically put $HOME/bin on your PATH when it exists, then... well, bad distro! no cookie. But you could also try using "$HOME/.local" as your --prefix argument and PREFIX= value, instead. $HOME/.local/bin is the new $HOME/bin, and these days is more likely to automatically show up in the $PATH.

The location of the files to modify would change, in that case, but the patchelf --add-rpath arguments DON'T change. That's the advantage of using $ORIGIN-relative RUNPATHs. (The exception is the Qt relative path, which would have to back out a level farther. So that one would become '$ORIGIN/../../Qt/5.15.2/gcc_64/lib'.)

Someone mentioned theoretical permissions issues getting access to hardware, as a reason to need a root install... but that's unlikely to be an issue.

For starters, it assumes the user even wants to access any hardware drives. (I use makemkv entirely with disc images, no physical hardware is ever harmed or even involved in the making of my mkvs.)

Even for users who DO want to access hardware, udev and session-based permissions management on modern Linux distros should give the logged-in user ownership of any optical drive devices on the system for the duration of their session, so permissions shouldn't be a problem for users directly signed in to a local desktop session.

And even if there are permissions issues, it'd require running makemkv as root to overcome them — having the binaries and/or libraries installed as root doesn't make a damn bit of difference.

(Unless they have the setuid bit, which they should DEFINITELY not. Because that would be a massive security exposure. Run makemkv under sudo if you absolutely must, in order to access hardware devices, but do NOT grant it blanket, unsupervised root access. Unless you ENJOY getting pwned, I guess? Some people have weird kinks.)

[georgesgiralt]

Hello,
Having, for a normal user, ~/.local/bin or ~/bin in the PATH variable is the worst idea one can have security wise.
This will defeat the most basic security rule about Unixes which separate user privileges with system privileges.
And will allow a malevolent person to install software through a Web navigator and running it.
Do not expect keeping your personal data safe for more than a day using this method.
All of this because you do not want to type your password in a "sudo" sentence once in a while when installing an application you fancy or need...
Sometimes I wonder ......

[bmillham]

I have been using *nix for 40+ years and have always had ~/bin in my PATH. And never once lost data or had my system compromised because of that...

[georgesgiralt]

I have been using *nix for 40+ years and have always had ~/bin in my PATH. And never once lost data or had my system compromised because of that...

Well, these days of Javascript and "active" plugins from Web browser has changed the things a lot.
Talk to a security expert and ask him about the first thing to do security wise ....
This is why snap and flatpack are this confined....
But of course you are free to do what you want.

[fallenguru]

First of all, @FeRDNYC, thank you for prettying up my years-old hack.

The only things that should be installed or run as root on a box are distro packages, period. I don't (blindly) trust third-party software and I don't feel like auditing it, and neither should you. So sudo is right out. I have a separate user for makemkv; it can access the drives and the data dump directory, that's it. Command line only, no browsers in sight. I'd say the risk of having ~/bin in the path is minimal. Maybe I should've chrooted it for good measure, and these days I'd probably stick it in a container, but ...

[sweharris]

Talk to a security expert and ask him about the first thing to do security wise ....
This is why snap and flatpack are this confined....
But of course you are free to do what you want.

Security professional here. Put stuff in $HOME/bin and be happy.

If a browser was that easily broken that it could drop executables into $HOME/bin then it could modify your .bash_profile or .bashrc files to add any directory to PATH anyway. So you're not gaining anything and just making life harder.

Now things get a little more complicated when we start to look at single-user machines vs multi-user machines. On a machine that's used by multiple people (typically servers, but also shared desktops) the blast radius is massively reduced by putting stuff in $HOME. It's why I've told teams for decades that their apps should not run as root but to have their own service account ('cos don't run server apps as humans, either!)

On a single user desktop machine the separation of duties gets a little more blurred. All your sensitive files (pictures of your cat, obviously!) are going to be under $HOME. If malware did get onto your machine then it doesn't _really_ matter if it runs as you or runs as root; your cat pictures are exposed just the same.

So on a single user machine, running "sudo make install" vs "make install" is pretty much a wash from a data security; that makefile has access to all your data under $HOME either way! And a "sudo make install" could do a lot more nasty stuff (add users, modify ssh config, disable firewalls, even insert kernel modules) to make clean up harder (but if you are compromised, rebuild rather than clean up) and persist access to your cat pictures.

Tools like flatpak and snap are ways of trying to reduce blast area even for that single user; if app X gets compromised it can only (in theory) see data related to that app. In practice it's never so clean (what if apps X, Y, Z all need to share data?). If you want the best of all worlds then MakeMKV, itself, would be delivered as a snap/flatpak/whatever. But it isn't. So letting it run from $HOME/bin (or wherever) is fine.

But as my old Usenet signature read; " My employer pays to ignore my opinions; you get to do it for free. "