[pacman-dev] Adding privilege levitation to pacman

Eli Schwartz eschwartz at archlinux.org
Tue Jan 5 03:20:04 UTC 2021


On 1/4/21 9:45 PM, Levente Polyak via pacman-dev wrote:
> I agree with the first parts, but a simple sorted execution before
> dropping won't be sufficient, you will have separate user action
> before root privileged action for first syncing the database and
> downloading packages before installing them like a simple -Syu.
> 
> There are multiple ways to achieve this, like with separated binary
> offloading or multiple forked execution with lower privileges. But
> it's certainly required to be able to execute lower privileged
> context before having a higher privileged context at the end like
> package installation. Even for a single action you want to have a non
> root context to download the packages.

As far as I can tell, the idea here is to:
- run those dedicated tasks using e.g. separated binary offloading,
- resume the main root flow for package installation,
- then and only then consider the issue of "-Syi does not need root for
   the -i part", and then permanently, irrecoverably, drop permissions in
   order to do purely informational terminal output.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210104/76b7627f/attachment.sig>


More information about the pacman-dev mailing list