[pacman-dev] Adding privilege levitation to pacman
Allan McRae
allan at archlinux.org
Tue Jan 5 02:26:59 UTC 2021
On 5/1/21 12:14 pm, Levente Polyak via pacman-dev wrote:
> WeOn January 5, 2021 1:43:32 AM GMT+01:00, Allan McRae via pacman-dev <pacman-dev at lists.archlinux.org> wrote:
>> So... I am super-anti polkit in any form for terminal based programs.
>> I would be happy to use polkit in any graphical frontend, but we don't
>> have one in the pacman code base!
>>
>>
>> Lets break the problem down a bit:
>>
>> The areas we need root:
>> a) package installation
>>
>> The areas we should run as a dedicated user:
>> b) database download
>> c) package download
>> d) gpg verification (for keyring ownership)
>>
>> Am I missing anything?
>>
>>
>> The rest can be run as a user.
>>
>> Currently, both the areas needing run as root and those that could be a
>> dedicated user are well detected, so any operation requiring these at
>> any stage checks for root privileges. Any operation not requiring root
>> privileges at any stage can be run as a user. The problem is when
>> there
>> are combined operations!
>>
>> A "quick fix" would be to boot operations b-d to separate helper
>> binaries, with the pacman binary offloading as necessary. That removes
>> most of our attack space.
>>
>> For a more complete pacman fix, note that all root (or dedicated user)
>> needed operations happen first in any transaction - e.g. -Syi does the
>> "y" first, so pacman could just drop root privileges as soon as those
>> are done.
>
>
> So far so good, but I think it's a bit more complicated
>
Can you expand that thoughts rather than leaving us in a cloud of mystery?
More information about the pacman-dev
mailing list