You are not logged in.
- Topics: Active | Unanswered
#1 2015-08-21 21:40:00
- gajjanag
- Member
- From: Cambridge, MA
- Registered: 2015-05-10
- Posts: 17
- Website
[solved]pacman: package downloads as non root?
I do not understand something about arch package management: why does pacman prompt for a password before even downloading a package?
Or put another way, why must pacman -S be done as root?
I am likely being naive here, but to me it seems like one should follow a principle of least privilege:
downloading a package should be done into some non root location, e.g /tmp so that root is not needed in obtaining the package over the network.
The installation will obviously require root privileges, and at that point a password prompt could appear.
See e.g some AUR helpers, yaourt being the example I am familiar with.
yaourt downloads into /tmp (no root needed), and then installs after prompting for a password.
I tried man pacman to check if I am completely off track here, but could not find a relevant option.
Last edited by gajjanag (2015-08-27 02:20:14)
"Behind every theorem lies an inequality" - A N Kolmogorov
Offline
#2 2015-08-21 22:02:57
- karol
- Archivist
- Registered: 2009-05-06
- Posts: 25,440
Re: [solved]pacman: package downloads as non root?
I don't know the answer, but AFAICT, in order to know what packages to download, you have to sync package databases and deal with their signatures.
Offline
#3 2015-08-21 22:09:52
- gajjanag
- Member
- From: Cambridge, MA
- Registered: 2015-05-10
- Posts: 17
- Website
Re: [solved]pacman: package downloads as non root?
Thanks for the information, but note that it does not fully answer my question:
this signature business is only one component of the whole process,
and so root can be invoked only as needed.
Maybe usability would be hurt with multiple prompts? (I am looking at you systemctl - try it without a sudo prefixed)
That can often be handled like the way sudo/gpg do it- keep credentials alive for some time.
However, depending on when this signature stuff needs to be done, perhaps the security benefits become marginal if such an approach was used.
I guess further insight will be best obtained from a pacman dev.
"Behind every theorem lies an inequality" - A N Kolmogorov
Offline
#4 2015-08-22 00:48:47
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,458
- Website
Re: [solved]pacman: package downloads as non root?
The package database is for the system, and is thus in a root-access path (/var/). If there were separate databases per-user (eg ~/.pacman/) then you would not need root access until installing. But this would have the side effect of allowing a local sync database to be out of sync with what was actually installed - this is essentially the state of a partial upgrade and is not supported as it would be miserable to try to support.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#5 2015-08-22 00:57:07
- gajjanag
- Member
- From: Cambridge, MA
- Registered: 2015-05-10
- Posts: 17
- Website
Re: [solved]pacman: package downloads as non root?
Thanks. I will mark this as solved after a few days (leaving this open for now so that others interested in this can discuss).
"Behind every theorem lies an inequality" - A N Kolmogorov
Offline
#6 2015-08-22 01:32:25
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,317
Re: [solved]pacman: package downloads as non root?
Thanks. I will mark this as solved after a few days (leaving this open for now so that others interested in this can discuss).
If you have security concerns about downloading with root, then the solution is very simple. Create a special user for pacman downloads, allow it write access to the pacman cache, and change to that user in your XferCommand (sudo or su)
PS: Pacman also provides a nice API, so you can implement your own flavour in e.g. python and chop up the whole process as you like.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline