[pacman-dev] [PATCHv2] Add optional 'SandboxUser' option to drop privileges before downloading files

Remi Gacogne rgacogne at archlinux.org
Mon Sep 6 07:34:34 UTC 2021

On 9/6/21 2:42 AM, Andrew Gregory wrote:
> Put notes here to avoid including them in the commit message.

Understood, thanks!

> After thinking about this some more, I think this is far too simple.  Just
> running download_internal in an unprivileged fork will break anything that
> relies on side effects.  download_internal sets pm_errno, tracks server errors,
> and calls a number of front-end callbacks.  Losing server error tracking across
> multiple downloads isn't a big deal, but losing pm_errno is significant and we
> have no way of knowing what kind of state changes the front-end callbacks might
> be making.  I suspect this would massively break GUI front-ends.

Right, that was my main worry when I started working on this, but since 
the 'XferCommand' option existed I was hopeful the download code was not 
too tightly coupled with the rest of the code.
Do you think it would still make sense to keep working on this? It looks 
like we could pass the value of pm_errno back to the main process, using 
a pipe if needed. As for the front-end callbacks I guess we could detect 
that these are set and disable the sandboxing in that case, while 
documenting that this option does not play well with GUI front-ends. I'm 
guessing that's already the case with 'XferCommand?', since the same 
issues likely apply?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210906/a63a8a7c/attachment.sig>

More information about the pacman-dev mailing list