On January 5, 2021 3:26:59 AM GMT+01:00, Allan McRae via pacman-dev <pacman-dev@lists.archlinux.org> wrote:
WeOn January 5, 2021 1:43:32 AM GMT+01:00, Allan McRae via pacman-dev <pacman-dev@lists.archlinux.org> wrote:
So... I am super-anti polkit in any form for terminal based
I would be happy to use polkit in any graphical frontend, but we don't have one in the pacman code base!
Lets break the problem down a bit:
The areas we need root: a) package installation
The areas we should run as a dedicated user: b) database download c) package download d) gpg verification (for keyring ownership)
Am I missing anything?
The rest can be run as a user.
Currently, both the areas needing run as root and those that could be a dedicated user are well detected, so any operation requiring these at any stage checks for root privileges. Any operation not requiring root privileges at any stage can be run as a user. The problem is when there are combined operations!
A "quick fix" would be to boot operations b-d to separate helper binaries, with the pacman binary offloading as necessary. That removes most of our attack space.
For a more complete pacman fix, note that all root (or dedicated user) needed operations happen first in any transaction - e.g. -Syi does
"y" first, so pacman could just drop root privileges as soon as
On 5/1/21 12:14 pm, Levente Polyak via pacman-dev wrote: programs. the those
are done.
So far so good, but I think it's a bit more complicated
Can you expand that thoughts rather than leaving us in a cloud of mystery?
Uff sorry this was a draft I started and needed to leave but instead the stupid MUA sent it. Guess I hit the wrong button. I agree with the first parts, but a simple sorted execution before dropping won't be sufficient, you will have separate user action before root privileged action for first syncing the database and downloading packages before installing them like a simple -Syu. There are multiple ways to achieve this, like with separated binary offloading or multiple forked execution with lower privileges. But it's certainly required to be able to execute lower privileged context before having a higher privileged context at the end like package installation. Even for a single action you want to have a non root context to download the packages. Cheers, Levente