[pacman-dev] [PATCHv2] Add optional 'SandboxUser' option to drop privileges before downloading files

Remi Gacogne rgacogne at archlinux.org
Sat Sep 18 15:07:04 UTC 2021


On 9/6/21 09:34, Remi Gacogne wrote:
> Right, that was my main worry when I started working on this, but since 
> the 'XferCommand' option existed I was hopeful the download code was not 
> too tightly coupled with the rest of the code.
> Do you think it would still make sense to keep working on this? It looks 
> like we could pass the value of pm_errno back to the main process, using 
> a pipe if needed. As for the front-end callbacks I guess we could detect 
> that these are set and disable the sandboxing in that case, while 
> documenting that this option does not play well with GUI front-ends. I'm 
> guessing that's already the case with 'XferCommand?', since the same 
> issues likely apply?

I looked a bit more into this. Passing pm_errno back is easy, and can 
even be done using the exit status without setting up a pipe.
Unfortunately I realize now that I under-estimated the criticality of 
the front-ends callbacks. Reading that code more in depth quickly 
uncovered issues I did not notice earlier, like 'on_progress' being set 
during the downloads and leading to cb_log adding messages to a list 
that is never flushed when we fork.
I'm not sure how to deal with that. Serializing the content of the dlcb 
events to pass them over a pipe could be done, but that would be a 
rather big patch, and would be cumbersome to maintain. I'll think about 
it a bit more, and in the meantime any ideas are welcome :)

Remi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210918/23b88d5b/attachment.sig>


More information about the pacman-dev mailing list