[pacman-dev] Adding privilege levitation to pacman
Allan McRae
allan at archlinux.org
Tue Jan 5 00:43:32 UTC 2021
So... I am super-anti polkit in any form for terminal based programs.
I would be happy to use polkit in any graphical frontend, but we don't
have one in the pacman code base!
Lets break the problem down a bit:
The areas we need root:
a) package installation
The areas we should run as a dedicated user:
b) database download
c) package download
d) gpg verification (for keyring ownership)
Am I missing anything?
The rest can be run as a user.
Currently, both the areas needing run as root and those that could be a
dedicated user are well detected, so any operation requiring these at
any stage checks for root privileges. Any operation not requiring root
privileges at any stage can be run as a user. The problem is when there
are combined operations!
A "quick fix" would be to boot operations b-d to separate helper
binaries, with the pacman binary offloading as necessary. That removes
most of our attack space.
For a more complete pacman fix, note that all root (or dedicated user)
needed operations happen first in any transaction - e.g. -Syi does the
"y" first, so pacman could just drop root privileges as soon as those
are done.
This is at the pacman level, so other libalpm frontends would need to
re-invent the wheel. Which I think they mostly need to do anyway...
We don't get a lot of feedback on what would help other frontends.
Allan
More information about the pacman-dev
mailing list