[pacman-dev] [PATCHv2] Add optional 'SandboxUser' option to drop privileges before downloading files
Remi Gacogne
rgacogne at archlinux.org
Mon Sep 6 07:34:34 UTC 2021
On 9/6/21 2:42 AM, Andrew Gregory wrote:
> Put notes here to avoid including them in the commit message.
Understood, thanks!
> After thinking about this some more, I think this is far too simple. Just
> running download_internal in an unprivileged fork will break anything that
> relies on side effects. download_internal sets pm_errno, tracks server errors,
> and calls a number of front-end callbacks. Losing server error tracking across
> multiple downloads isn't a big deal, but losing pm_errno is significant and we
> have no way of knowing what kind of state changes the front-end callbacks might
> be making. I suspect this would massively break GUI front-ends.
Right, that was my main worry when I started working on this, but since
the 'XferCommand' option existed I was hopeful the download code was not
too tightly coupled with the rest of the code.
Do you think it would still make sense to keep working on this? It looks
like we could pass the value of pm_errno back to the main process, using
a pipe if needed. As for the front-end callbacks I guess we could detect
that these are set and disable the sandboxing in that case, while
documenting that this option does not play well with GUI front-ends. I'm
guessing that's already the case with 'XferCommand?', since the same
issues likely apply?
Remi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210906/a63a8a7c/attachment.sig>
More information about the pacman-dev
mailing list