This is specific to Arch Linux with yaourt.
Run the following commands as root:
groupadd -r packages useradd -d /var/empty -g packages -lMNr pkgbuild usermod -aG packages YOUR_USER passwd pkgbuild ## Select a unique password for better security echo '%packages ALL=(pkgbuild) NOPASSWD: /usr/bin/yaourt' >> /etc/sudoers echo '%packages ALL=(pkgbuild) NOPASSWD: /usr/bin/rm' >> /etc/sudoers echo '%packages ALL=(root) /usr/bin/pacman' >> /etc/sudoers ! test -e /usr/local/bin/yaourt touch /usr/local/bin/yaourt chown root:packages /usr/local/bin/yaourt chmod 750 /usr/local/bin/yaourt
Open /usr/local/bin/yaourt with your text editor and write
#!/bin/sh -e cd /var/empty touch /tmp/.pkgbuild-lock exec 10<>/tmp/.pkgbuild-lock flock -s 10 (exec 10&<-; exec sudo -Hu pkgbuild /bin/usr/yaourt "$@@") if flock -nx 10; then if test -d /tmp/yaourt-tmp-pkgbuild; then sudo -u pkgbuild rm -rf /tmp/yaourt-tmp-pkgbuild fi fi exec flock -u 10
You can further harden your setup by running
userdel pkgbuild useradd -d /var/empty -G packages -lMUr pkgbuild passwd pkgbuild chown root:pkgbuild /usr/bin/yaourt chmod 654 /usr/bin/yaourt mkdir -p /etc/pacman.d/hooks cat >|/etc/pacman.d/hooks/hardened-yaourt.hook <<EOF [Trigger] Operation = Install Operation = Upgrade Type = Package Target = yaourt [Action] Depends = coreutils When = PostTransaction Exec = sh -c '/bin/chown root:pkgbuild /bin/yaourt && /bin/chmod 654 /bin/yaourt' EOF