[pacman-dev] Adding privilege levitation to pacman

Levente Polyak anthraxx at archlinux.org
Tue Jan 5 02:45:08 UTC 2021 

On January 5, 2021 3:26:59 AM GMT+01:00, Allan McRae via pacman-dev <pacman-dev at lists.archlinux.org> wrote:
>On 5/1/21 12:14 pm, Levente Polyak via pacman-dev wrote:
>> WeOn January 5, 2021 1:43:32 AM GMT+01:00, Allan McRae via pacman-dev
><pacman-dev at lists.archlinux.org> wrote:
>>> So...   I am super-anti polkit in any form for terminal based
>programs.
>>> I would be happy to use polkit in any graphical frontend, but we
>don't
>>> have one in the pacman code base!
>>>
>>>
>>> Lets break the problem down a bit:
>>>
>>> The areas we need root:
>>> a) package installation
>>>
>>> The areas we should run as a dedicated user:
>>> b) database download
>>> c) package download
>>> d) gpg verification (for keyring ownership)
>>>
>>> Am I missing anything?
>>>
>>>
>>> The rest can be run as a user.
>>>
>>> Currently, both the areas needing run as root and those that could
>be a
>>> dedicated user are well detected, so any operation requiring these
>at
>>> any stage checks for root privileges.  Any operation not requiring
>root
>>> privileges at any stage can be run as a user.  The problem is when
>>> there
>>> are combined operations!
>>>
>>> A "quick fix" would be to boot operations b-d to separate helper
>>> binaries, with the pacman binary offloading as necessary.  That
>removes
>>> most of our attack space.
>>>
>>> For a more complete pacman fix, note that all root (or dedicated
>user)
>>> needed operations happen first in any transaction - e.g. -Syi does
>the
>>> "y" first, so pacman could just drop root privileges as soon as
>those
>>> are done.
>> 
>> 
>> So far so good, but I think it's a bit more complicated 
>> 
>
>Can you expand that thoughts rather than leaving us in a cloud of
>mystery?

Uff sorry this was a draft I started and needed to leave but instead the stupid MUA sent it. Guess I hit the wrong button. 

I agree with the first parts, but a simple sorted execution before dropping won't be sufficient, you will have separate user action before root privileged action for first syncing the database and downloading packages before installing them like a simple -Syu. 
There are multiple ways to achieve this, like with separated binary offloading or multiple forked execution with lower privileges. But it's certainly required to be able to execute lower privileged context before having a higher privileged context at the end like package installation. Even for a single action you want to have a non root context to download the packages. 

Cheers, 
Levente

More information about the pacman-dev mailing list