You are not logged in.

#1 2013-02-10 21:26:19

cdwijs
Member
Registered: 2010-04-24
Posts: 162

Pacman refuses to run as non-root user, I don't agree :-)

Hi All,

I would like to run pacman as a user with limited rights, so it can not overwrite my personal files. In order for this to work, I would like to change the ownership of all the needed directories for pacman to a new user, and then run pacman as this new user.

Pacman however refuses to run as the root user:

$ pacman -Suy
error: you cannot perform this operation unless you are root.

Is it a good idea to change pacman so it does work as a non-root user? Please also tell me if this is a terrible idea :-)

Best regars,
Cedric

Offline

#2 2013-02-10 21:30:39

kaszak696
Member
Registered: 2009-05-26
Posts: 543

Re: Pacman refuses to run as non-root user, I don't agree :-)

How do you intend to update your system, which is almost entirely root-owned? And no, it doesn't overwrite your personal files unless they somehow belong to an installed package, which they shouldn't. In case of configs in /etc, pacman just creates new config as .pacnew files to be reviewed by user.

Last edited by kaszak696 (2013-02-10 21:32:31)


'What can be asserted without evidence can also be dismissed without evidence.' - Christopher Hitchens
'There's no such thing as addiction, there's only things that you enjoy doing more than life.' - Doug Stanhope
GitHub Junkyard

Offline

#3 2013-02-10 21:33:07

WorMzy
Forum Moderator
From: England
Registered: 2010-06-16
Posts: 4,851

Re: Pacman refuses to run as non-root user, I don't agree :-)

What "personal" files do you think pacman is overwriting?


Sakura:-
Mobo: ASUS P8Z77-V PRO // Processor: Intel Core i7-3770K 3.4GHz // GFX: nVidia GeForce GTX 970 Ti // RAM: 32GB (4x 8GB) Corsair DDR3 (@ 2133MHz) // Storage: 1x 3TB Seagate SATAII 5x 1TB Samsung SATAII, 2x 120GB Corsair SSD

Offline

#4 2013-02-10 21:50:02

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: Pacman refuses to run as non-root user, I don't agree :-)

This is a terrible idea.  Use "pacman -Qii <some package>" and look at the bottom of the output.  It is smart enough to be told to treat config files differently.  Ergo, if they are changed and an update occurs, you will end up with a *.pacnew file.  If you remove the package, these files stay unless specifically told to remove them.

Offline

#5 2013-02-10 21:50:51

cdwijs
Member
Registered: 2010-04-24
Posts: 162

Re: Pacman refuses to run as non-root user, I don't agree :-)

kaszak696 wrote:

How do you intend to update your system, which is almost entirely root-owned?

I would first change the ownership of the files pacman needs access to, then run pacman as that user. I don't know exactly yet what files they are, but I guess it's everything below /usr, and the /var/cache/pacman, and probably some other places.

kaszak696 wrote:

And no, it doesn't overwrite your personal files unless they somehow belong to an installed package, which they shouldn't. In case of configs in /etc, pacman just creates new config as .pacnew files to be reviewed by user.

You are absolutely right. This should not happen. But why not make it impossible to happen? Adding the new user, and chowning the needed files/directories only has to be done once, after that the system is more secure.

Best regards,
Cedric

Offline

#6 2013-02-10 21:54:04

kaszak696
Member
Registered: 2009-05-26
Posts: 543

Re: Pacman refuses to run as non-root user, I don't agree :-)

Chowning everything in /usr is a giant gaping security hole, you are just asking for trouble. Even if not, files in packages are owned by root by default, so i don't thing chowning would be permament.

Last edited by kaszak696 (2013-02-10 21:58:29)


'What can be asserted without evidence can also be dismissed without evidence.' - Christopher Hitchens
'There's no such thing as addiction, there's only things that you enjoy doing more than life.' - Doug Stanhope
GitHub Junkyard

Offline

#7 2013-02-10 21:55:42

jasonwryan
Forum & Wiki Admin
From: .nz
Registered: 2009-05-09
Posts: 18,066
Website

Re: Pacman refuses to run as non-root user, I don't agree :-)

cdwijs wrote:

I don't know exactly yet what files they are, but I guess it's everything below /usr, and the /var/cache/pacman, and probably some other places.


This is what is commonly refrerred to in the literature as the "fatal flaw"...


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Offline

#8 2013-02-10 21:57:04

cdwijs
Member
Registered: 2010-04-24
Posts: 162

Re: Pacman refuses to run as non-root user, I don't agree :-)

WonderWoofy wrote:

This is a terrible idea.  Use "pacman -Qii <some package>" and look at the bottom of the output.  It is smart enough to be told to treat config files differently.  Ergo, if they are changed and an update occurs, you will end up with a *.pacnew file.  If you remove the package, these files stay unless specifically told to remove them.

In order for this to work, pacman still does not need to be run as root, it only needs write access to some files under /etc.

Best regards,
Cedric

Offline

#9 2013-02-11 00:03:48

2ManyDogs
Member
Registered: 2012-01-15
Posts: 1,631

Re: Pacman refuses to run as non-root user, I don't agree :-)

You asked "is this a terrible idea?" and several people have told you, yes, this is a terrible idea, and have even told you why. Yet you persist. Why did you ask for opinions in the first place if you already knew what you were going to do? This begins to look like trolling. Go ahead, do whatever you want. It's your system.

Last edited by 2ManyDogs (2013-02-11 00:40:36)

Offline

#10 2013-02-11 00:53:11

Trilby
Forum Moderator
From: Massachusetts, USA
Registered: 2011-11-29
Posts: 13,368
Website

Re: Pacman refuses to run as non-root user, I don't agree :-)

chown all the files pacman needs access to?  OK, pacman is the package manager.  It manages all packages.  All files installed in a fresh install are owned by packages.  Pacman needs access to all of them; ALL of them.  The only files pacman should not need access to are your personal files which are stored under /home/, and perhaps any files you have independently placed under /opt/.

Pacman needs access to /usr and /var as already noted, but also to /boot ... you do get kernel upgrades, right? It also needs access to /bin /sbin and /etc.  That only really leaves /opt, /root and /home as real (i.e., on disk) directories.  The first of those could well be empty (mine is) and the second can be pretty darn close to empty.  The third contains those personal files you don't want pacman to touch ... which it doesn't anyways.

So you would want to chown your entire root and boot partitions to some user so pacman could have access to everything that it currently has access to but does not have access to what it wouldn't touch anyways?

Best of luck.

EDIT: if my sarcasm burried the point, the point is this new user that you'd create would effectively be a root account.  The only differences is that the new user could access your home directory(ies) - that's it.  If this is your end goal, to protect your home partition from pacman (which as an aside has no code that would have it touch your home directory), then you could just unmount your home partition every time you run pacman.  This would be far easier ... though no less pointless.

Last edited by Trilby (2013-02-11 00:56:31)


InterrobangSlider
• How's my coding? See this page.
• How's my moderating? Feel free to email any concerns, complaints, or objections.

Offline

#11 2013-02-11 01:19:36

KaiSforza
Member
Registered: 2012-04-22
Posts: 133
Website

Re: Pacman refuses to run as non-root user, I don't agree :-)

I've heard a lot of crazy things about package management in my time, but nothing could top the damage done by doing what you are proposing. On my system with ~600 packages, pacman is right now managing 131840 files. That's a lot of things that chowning can break. If you want to keep personal configs, then keep them in your $HOME directory. If they're system configuration files, pacman will not overwrite them anyway becuase it's not dumb. If the file has been modified, it will install a `file.pacnew` file next to `file`. Unless you somehow manage to trick pacman into thinking you didn't modify the file, then you have nothing to worry about. If there is a package that is having configs overwritten, then contact the maintainer, because there's something missing in their PKGBUILD. (Hell, systemd has a whole infrastructure for user and system configs, with three different places for them so that even dumb package managers con't break things.)

I thought that the reason for not wanting to run pacman as root was for a good reason, like you want to just download files to a user owned directory, but no. Not even a valid reason.

As other people have said, try running `pacman -Qii <package name>` and looking at the output on the bottom. It will tell you which config files pacman is tracking and which ones have been modified since the package was installed.


Thinkpad T420 | Intel 3000 | systemd {,--user}
PKGBUILDs I use | pywer AUR helper

Offline

#12 2013-02-11 01:44:28

fukawi2
Forum Moderator
From: .vic.au
Registered: 2007-09-28
Posts: 5,251
Website

Re: Pacman refuses to run as non-root user, I don't agree :-)

(Apologies for the trimmed quote)

Trilby wrote:

.....then you could just unmount your home partition every time you run pacman.  This would be far easier ...

This is the sanest suggestion I've seen in this thread.... But...

Trilby wrote:

no less pointless.

Offline

#13 2013-02-11 01:53:36

Stebalien
Member
Registered: 2010-04-27
Posts: 1,218
Website

Re: Pacman refuses to run as non-root user, I don't agree :-)

tomoyo


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#14 2013-02-11 06:49:27

cdwijs
Member
Registered: 2010-04-24
Posts: 162

Re: Pacman refuses to run as non-root user, I don't agree :-)

2ManyDogs wrote:

You asked "is this a terrible idea?" and several people have told you, yes, this is a terrible idea, and have even told you why. Yet you persist. Why did you ask for opinions in the first place if you already knew what you were going to do? This begins to look like trolling. Go ahead, do whatever you want. It's your system.

Reading back i realize I have offended a lot of people. This was not what I wanted to do. Please accept my appologies.

I have asked this the wrong way. I wanted to know what I had to change to my system in order for this to work, but instead I only asked if i should actually do it or not. It was not my intention to troll.

I would like to thank everybody for warning me about the problems I would encounter.

(The below is not meant to troll, just to warn somebody else with the same idea)
I have thought of one more reason not to do this. Even when I get pacman to work, then I would still have the problem of suid root executables. These end up not running as root, but as the package manager user/group. This will cause even more problems.

Best regards,
Cedric

Offline

#15 2013-02-13 02:01:36

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,661

Re: Pacman refuses to run as non-root user, I don't agree :-)

There is a related suggestion which you might want to consider.

If for any reason you wish/need to install software without pacman - and this is not recommended but if you did - then it is possible to manage that software under /usr/local as another user. This is because packages managed by pacman do not install software here. The main reason to do this, though, is not to protect your personal files but to protect the system i.e. to protect anything else interfering with the files managed by pacman.

For example:

$ ls -l /usr/local/
total 68
drwxr-xr-x  2 software software  4096 Tach 10 19:05 bin/
drwxr-xr-x  2 software software  4096 Tach 10 19:05 doc/
drwxr-xr-x  2 root     root      4096 Ion  27 07:29 etc/
drwxr-xr-x  2 root     root      4096 Ion  27 07:29 games/
drwxr-xr-x  2 root     root      4096 Ion  27 07:29 include/
drwxr-xr-x  4 software software  4096 Ion   6 18:40 lib/
drwx------  2 root     root     16384 Tach  9 16:25 lost+found/
drwxr-xr-x  2 root     root      4096 Ion  27 07:29 man/
drwxr-xr-x  2 root     root      4096 Ion  19  2012 sbin/
drwxr-xr-x  5 software software  4096 Ion  28 02:27 share/
drwxr-xr-x  2 root     root      4096 Ion  27 07:29 src/
drwxr-xr-x 20 software software  4096 Chw   6 21:46 stow/
drwxr-xr-x 65 texlive  texlive   4096 Tach 10 19:04 stow-tex/
drwxr-xr-x  5 texlive  texlive   4096 Gor  25  2012 texlive/

I like this method but, then, I'm a refugee from Mac OS X...


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

Board footer

Powered by FluxBB