[pacman-dev] Adding privilege levitation to pacman

Emil Velikov emil.l.velikov at gmail.com
Mon Jan 4 23:45:31 UTC 2021


On Mon, 4 Jan 2021 at 20:12, Eli Schwartz via pacman-dev
<pacman-dev at lists.archlinux.org> wrote:
>
> On 1/4/21 1:46 PM, Emil Velikov via pacman-dev wrote:
> > After a casual chat with some systemd and dbus devs - I was pointed at polkit.
> > With polkit a) gaining and revoking root is trivial, b) it integrates
> > nicely (better than gpg/pinentry) with tty, gnome, kde, etc, while it
> > also c) provides for a consistent user experience.
>
> "pinentry-program /usr/bin/pinentry-curses" integrates very nicely with
> the tty too, and is apropos for not context-switching between a terminal
> emulator running in a WM, and some popup window.
>
pinentry fairly often chokes here, if GPG_TTY and the startup TTY
aren't reset in just the right moment...

> I'm not aware of a similar option for polkit, it would likely defeat the
> purpose of most polkit uses though...
>
... do agree though the explicit override pinentry-program is priceless.

> > I'm not sure if you're joking or trolling here. I am aiming for "least
> > privilege", moving from yaourt which absolutely sucks in that
> > department, with pacman being a tiny bit better.
>
> I don't see how yaourt is tied to principle of least privilege. Neither
> with yaourt, nor without yaourt, do you have principle of least privilege.
>
Was trying to illustrate that yaourt is a step in the opposite
direction - worst (yaourt) -> bad (pacman) -> good (polkit based
pacman).
Duly noted will not mention that helper again.

> > Last but not least, to reiterate pacman will work as original when the
> > system lacks polkit all together.
>
> No it won't... because you need to link to libpolkit-agent in order to
> support it, therefore it's a compile-time choice whether the "pacman"
> package depends on the "polkit" package.
>
Is dlopen/dlsym banned in pacman?

> You could circumvent this by using exec(2) + /usr/bin/pkexec on the
> whole process, or if, like systemd, you *already* contain a dbus
> implementation that can send messages to org.freedesktop.PolicyKit1
> without linking to polkit.
>
My initial idea was to try the systemd route and if implementation (or
interdependencies) gets too messy - to fallback to pkexec.

As you mentioned before separation is priority #1, elevation is 3+

Thanks
Emil


More information about the pacman-dev mailing list