[pacman-dev] Adding privilege levitation to pacman

Emil Velikov emil.l.velikov at gmail.com
Mon Jan 4 18:46:21 UTC 2021 

On Mon, 4 Jan 2021 at 16:11, Maarten de Vries via pacman-dev
<pacman-dev at lists.archlinux.org> wrote:
>
>
> On 04-01-2021 14:47, Emil Velikov via pacman-dev wrote:
> > Hello everyone,
> Hey :)
> > For a while now I've been wondering about adding privilege elevation
> > to pacman, or if you prefer to libalpm.
> > In particular, one that uses polkit akin to systemd and various other tools.
>
> Privilege separation could be a nice feature for pacman, like Levente
> said. However, if you want pacman to be run as non-root and then
> automagically gain required privileges to overwrite system files through
> polkit, I don't think that is something I would want.
>
> For starters, `pacman -U` with a custom package would allow you to
> overwrite anything with anything. In general, requiring root to use
> pacman is a good thing.
>
How does using polkit make any difference? The existing "run-as-root"
workflow will remain unchanged.

> If you were to add restrictions on the allowed commands or require group
> membership, why not simply use custom sudo rules? You can configure sudo
> to allow certain commands without asking for a password if you really
> want to (but I wouldn't recommend that for pacman).
>
I'm aware of such sudo hacks, but that's all they are. Gruesome, do
not scale and error prone (-Sy requires root, -Si foo does not, while
-Syi foo is also a thing).

> The opposite does sound nice: have pacman start as root and then drop
> privileges for parts of the code where it is not required.
>
There are more or less 3 pieces of software on my systems that use
this approach - systemd (PID 1 so starts as root, although I doubt it
drops priv), Xorg (prime example of new, well written and secure code)
and OpenVPN (I think it no longer runs as root with last version)

To clear any ambiguity I was being sarcastic in the Xorg case. You are
welcome to test how fragile the approach is (as implemented in Xorg) -
it's close to impossible for the initial code (run as root) to
attribute for each permutation, that will be triggered later on at
runtime. So currently it drops permissions for a wide range of cases
which actually require root.

After a casual chat with some systemd and dbus devs - I was pointed at polkit.
With polkit a) gaining and revoking root is trivial, b) it integrates
nicely (better than gpg/pinentry) with tty, gnome, kde, etc, while it
also c) provides for a consistent user experience.

> > The reason behind this is a multiple fold, but my main selfish wish is
> > to get rid of yaourt. As you know, it is an "unsafe pacman wrapper"
> > which is capable of a very basic elevation via sudo.
> > Once that is complete, I have been itching to try and minimise the
> > use/requirement of root, or as it's better known - apply the principle
> > of least privilege.
>
> If you just want `pacman` to automatically be `sudo pacman`, you can
> just add a shell alias or wrapper script in your $PATH :)
>
I'm not sure if you're joking or trolling here. I am aiming for "least
privilege", moving from yaourt which absolutely sucks in that
department, with pacman being a tiny bit better.

Last but not least, to reiterate pacman will work as original when the
system lacks polkit all together.

Thanks
Emil

More information about the pacman-dev mailing list