[pacman-dev] [PATCH] doas makepkg support
The following patches should enable doas support for privilege escalation in makepkg as well as document the absence thereof in binary verification. As doas gained a little traction over the last weeks and with its presence in the official repos it seems like a cheap, yet beneficial patch to the featureset of makepkg. It might not be an exhaustive patchset as I don't know all of makepkg's and libmakepkg's intricacies, but it has been tested by me and seems to work as expected. Nonetheless those patches should "point in the right direction".
From 10ffa30e21e94801c444704362342610e49034ab Mon Sep 17 00:00:00 2001 From: Erich Ericson <fakefakefans@gmail.com> Date: Sun, 21 Feb 2021 01:12:04 +0100 Subject: [PATCH] doas privilege escalation in makepkg
Signed-off-by: Erich Ericson <fakefakefans@gmail.com> --- scripts/makepkg.sh.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index b39433f3..47b3001d 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -232,6 +232,8 @@ run_pacman() { cmd=("$PACMAN_PATH" "${PACMAN_OPTS[@]}" "$@") if type -p sudo >/dev/null; then cmd=(sudo "${cmd[@]}") + elif type -p doas >/dev/null; then + cmd=(doas "${cmd[@]}") else cmd=(su root -c "$(printf '%q ' "${cmd[@]}")") fi -- 2.30.1
From 2a455f2adc1bc87ed6b1d23261c8f911a7cc066b Mon Sep 17 00:00:00 2001 From: Erich Ericson <fakefakefans@gmail.com> Date: Sun, 21 Feb 2021 17:35:26 +0100 Subject: [PATCH] add prompting support for doas binary
Signed-off-by: Erich Ericson <fakefakefans@gmail.com> --- scripts/libmakepkg/executable/sudo.sh.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/libmakepkg/executable/sudo.sh.in b/scripts/libmakepkg/executable/sudo.sh.in index 9e50a76b..4d701946 100644 --- a/scripts/libmakepkg/executable/sudo.sh.in +++ b/scripts/libmakepkg/executable/sudo.sh.in @@ -29,8 +29,8 @@ executable_functions+=('executable_sudo') executable_sudo() { if (( DEP_BIN || RMDEPS || INSTALL )); then - if ! type -p sudo >/dev/null; then - warning "$(gettext "Cannot find the %s binary. Will use %s to acquire root privileges.")" "sudo" "su" + if ! type -p sudo >/dev/null || ! type -p doas >/dev/null; then + warning "$(gettext "Cannot find neither the %s nor %s binary. Will use %s to acquire root privileges.")" "sudo" "doas" "su" fi fi } -- 2.30.1 Erich "DaErich" Ericson
Hi Erich, On Mon, 22 Feb 2021 at 15:08, Erich Ericson <fakefakefans@gmail.com> wrote:
The following patches should enable doas support for privilege escalation in makepkg as well as document the absence thereof in binary verification. As doas gained a little traction over the last weeks and with its presence in the official repos it seems like a cheap, yet beneficial patch to the featureset of makepkg. It might not be an exhaustive patchset as I don't know all of makepkg's and libmakepkg's intricacies, but it has been tested by me and seems to work as expected. Nonetheless those patches should "point in the right direction".
Disclaimer: A casual pacman contributor, so take this with a grain of salt.
From pacman POV, diversity makes sense.
Although looking at it from Arch side of things, I see a few tidbits: - doas is relatively new - landed in 2019 - community package, while pacman is core (and all it's other deps are core) - no wiki page I don't see a patch which mentions doas in the makepkg manpage? Perhaps we should add something... might even mention sudo/su while in there ;-) HTH Emil
On 23/2/21 1:07 am, Erich Ericson wrote:
The following patches should enable doas support for privilege escalation in makepkg as well as document the absence thereof in binary verification. As doas gained a little traction over the last weeks and with its presence in the official repos it seems like a cheap, yet beneficial patch to the featureset of makepkg. It might not be an exhaustive patchset as I don't know all of makepkg's and libmakepkg's intricacies, but it has been tested by me and seems to work as expected. Nonetheless those patches should "point in the right direction".
My understanding was that Eli has a patch in the works that allowed configuring the command for privilege escalation in makepkg.conf. This is my preferred approach as it avoids adding the new hotness in the future. Allan
Hi everyone, first off, thanks for the constructive feedback on my proposal. I know that opendoas is quite new in the field and, being an OpenBSD project, is only documented in the manpages. Even the ArchWiki-Team seems to only link to OpenBSD for documentation matters. But with all the rethinking of certain facilities, take iwd for wpa_supplicant, or systemd-networkd for certain networkmanager-applications, I felt it was a good idea to bring opendoas in scope as revamped "diet" sudo. But taking in consideration that certain features seem to be not fully shaped out yet, I see that it would have been too early including it in a core-application. Anyway if there is already a patch en route to softcode future elevation techniques, that's even better than Hardcoding another bash command into the script. I am looking forward to making good use of that patch! Cheers, DaErich Am Mi., 24. Feb. 2021 um 13:38 Uhr schrieb Allan McRae <allan@archlinux.org>:
On 23/2/21 1:07 am, Erich Ericson wrote:
The following patches should enable doas support for privilege escalation in makepkg as well as document the absence thereof in binary verification. As doas gained a little traction over the last weeks and with its presence in the official repos it seems like a cheap, yet beneficial patch to the featureset of makepkg. It might not be an exhaustive patchset as I don't know all of makepkg's and libmakepkg's intricacies, but it has been tested by me and seems to work as expected. Nonetheless those patches should "point in the right direction".
My understanding was that Eli has a patch in the works that allowed configuring the command for privilege escalation in makepkg.conf. This is my preferred approach as it avoids adding the new hotness in the future.
Allan
On 2/24/21 7:37 AM, Allan McRae wrote:
On 23/2/21 1:07 am, Erich Ericson wrote:
The following patches should enable doas support for privilege escalation in makepkg as well as document the absence thereof in binary verification. As doas gained a little traction over the last weeks and with its presence in the official repos it seems like a cheap, yet beneficial patch to the featureset of makepkg. It might not be an exhaustive patchset as I don't know all of makepkg's and libmakepkg's intricacies, but it has been tested by me and seems to work as expected. Nonetheless those patches should "point in the right direction".
My understanding was that Eli has a patch in the works that allowed configuring the command for privilege escalation in makepkg.conf. This is my preferred approach as it avoids adding the new hotness in the future.
Yes, this is just https://bugs.archlinux.org/task/68985 which was already rejected as overly specific. I have WIP stuff, the general gist of which looks like this: https://git.archlinux.org/users/eschwartz/pacman.git/log/?h=queue2&qt=grep&q=PACMAN_AUTH It will prefer: - PACMAN_AUTH=() in makepkg.conf, if defined (bring-your-own-auth, popular flavors of the day include doas, pkexec) - hardcoded sudo, if installed - hardcoded su ... Yes, I should get off my butt, finish+document it, test it, submit it etc. -- which will happen Soon™. Definitely before 6.0.0 final release. Admittedly, I started this on 2019-11-26 and still didn't get around to finishing it. But, given the opendoas fans are increasingly showing interest in it, I've already determined that it's time to dust this off and polish it up. -- Eli Schwartz Bug Wrangler and Trusted User
participants (4)
-
Allan McRae
-
Eli Schwartz
-
Emil Velikov
-
Erich Ericson