You are not logged in.
- Topics: Active | Unanswered
#1 2023-07-12 21:12:16
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,992
- Website
[SOLVED] pacman does not work with SUID bit set
Just out of curiosity, I set the SUID bit on /usr/bin/pacman:
0 ✓ rne@envy ~ $ ls -l /usr/bin/pacman
-rwsr-sr-x 1 root root 145432 20. Mai 00:45 /usr/bin/pacman
0 ✓ rne@envy ~ $ However, when running it, it still thinks it is not root:
0 ✓ rne@envy ~ $ LANG=C /usr/bin/pacman -Syu
error: you cannot perform this operation unless you are root.
1 ✗ rne@envy ~ $ My question is: why?
And before you break out the pitchforks: No, I do not intend to actually keep it this way or use it.
Consider this an academic question.
Last edited by schard (2023-07-13 07:42:57)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#2 2023-07-12 21:29:59
- dogknowsnx
- Member
- Registered: 2021-04-12
- Posts: 648
Re: [SOLVED] pacman does not work with SUID bit set
Is your file system mounted with 'nosuid'?
Offline
#3 2023-07-12 21:34:49
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,992
- Website
Re: [SOLVED] pacman does not work with SUID bit set
Nope
/home/rne〉findmnt / 2023-07-12 23:33:50
TARGET
SOURCE FSTYPE OPTIONS
/ /dev/mapper/root ext4 rw,relatime,discard
/home/rne〉 Otherwise, I think, sudo and the like should not work either.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#4 2023-07-12 21:56:32
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,579
- Website
Re: [SOLVED] pacman does not work with SUID bit set
It would seem pacman checks the real user id which remains your regular user when you run a suid program. Simple code to confirm that the real uid remains the same:
#define _GNU_SOURCE
#include <unistd.h>
#include <stdio.h>
int main(void) {
uid_t real, effective, set;
getresuid(&real, &effective, &set);
printf("%d %d %d\n", real, effective, set);
return 0;
}Compile that, chown it to root and set the suid bit. When you run it as a regular user (relying on the SUID for permissions) it reports 1000 0 0 for me (as my user id is 1000). When run via sudo / doas it reports 0 0 0.
I just confirmed this in pacman.c from the current development code, line 1090 calls getuid (not geteuid), and shortly later on line 1135 this is tested and results in the error message from the first post:
$ git clone https://gitlab.archlinux.org/pacman/pacman.git
# ... git output not shown ...
$ sed -n '1087,1090p;1091s/.*/.../p;1135,1138p' pacman/src/pacman/pacman.c
int main(int argc, char *argv[])
{
int ret = 0;
uid_t myuid = getuid();
...
if(myuid > 0 && needs_root()) {
pm_printf(ALPM_LOG_ERROR, _("you cannot perform this operation unless you are root.\n"));
cleanup(EXIT_FAILURE);
}Patching pacman to run as SUID would require at least a change to line 1090 replacing getuid() with geteuid().
Last edited by Trilby (2023-07-12 22:09:04)
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#5 2023-07-12 22:14:44
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,992
- Website
Re: [SOLVED] pacman does not work with SUID bit set
Thanks Trilby. I think that settles it.
I don't think that pacman was ever intended to be run via SUID anyway due to the security implications.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline