[SOLVED] pacman does not work with SUID bit set

schard · 2023-07-12 21:12:16

Just out of curiosity, I set the SUID bit on /usr/bin/pacman:

0 ✓ rne@envy ~ $ ls -l /usr/bin/pacman
-rwsr-sr-x 1 root root 145432 20. Mai 00:45 /usr/bin/pacman
0 ✓ rne@envy ~ $

However, when running it, it still thinks it is not root:

0 ✓ rne@envy ~ $ LANG=C /usr/bin/pacman -Syu
error: you cannot perform this operation unless you are root.
1 ✗ rne@envy ~ $

My question is: why?
And before you break out the pitchforks: No, I do not intend to actually keep it this way or use it.
Consider this an academic question.

Last edited by schard (2023-07-13 07:42:57)

dogknowsnx · 2023-07-12 21:29:59

Is your file system mounted with 'nosuid'?

schard · 2023-07-12 21:34:49

Nope

/home/rne〉findmnt /                                                                                                                                                       2023-07-12 23:33:50
TARGET
  SOURCE           FSTYPE OPTIONS
/ /dev/mapper/root ext4   rw,relatime,discard
/home/rne〉

Otherwise, I think, sudo and the like should not work either.

Trilby · 2023-07-12 21:56:32

It would seem pacman checks the real user id which remains your regular user when you run a suid program. Simple code to confirm that the real uid remains the same:

#define _GNU_SOURCE
#include <unistd.h>
#include <stdio.h>

int main(void) {
	uid_t real, effective, set;
	getresuid(&real, &effective, &set);
	printf("%d %d %d\n", real, effective, set);
	return 0;
}

Compile that, chown it to root and set the suid bit. When you run it as a regular user (relying on the SUID for permissions) it reports 1000 0 0 for me (as my user id is 1000). When run via sudo / doas it reports 0 0 0.

I just confirmed this in pacman.c from the current development code, line 1090 calls getuid (not geteuid), and shortly later on line 1135 this is tested and results in the error message from the first post:

$ git clone https://gitlab.archlinux.org/pacman/pacman.git
# ... git output not shown ...

$ sed -n '1087,1090p;1091s/.*/.../p;1135,1138p' pacman/src/pacman/pacman.c
int main(int argc, char *argv[])
{
	int ret = 0;
	uid_t myuid = getuid();
...
	if(myuid > 0 && needs_root()) {
		pm_printf(ALPM_LOG_ERROR, _("you cannot perform this operation unless you are root.\n"));
		cleanup(EXIT_FAILURE);
	}

Patching pacman to run as SUID would require at least a change to line 1090 replacing getuid() with geteuid().

Last edited by Trilby (2023-07-12 22:09:04)

schard · 2023-07-12 22:14:44

Thanks Trilby. I think that settles it.
I don't think that pacman was ever intended to be run via SUID anyway due to the security implications.

Arch Linux

#1 2023-07-12 21:12:16

[SOLVED] pacman does not work with SUID bit set

#2 2023-07-12 21:29:59

Re: [SOLVED] pacman does not work with SUID bit set

#3 2023-07-12 21:34:49

Re: [SOLVED] pacman does not work with SUID bit set

#4 2023-07-12 21:56:32

Re: [SOLVED] pacman does not work with SUID bit set

#5 2023-07-12 22:14:44

Re: [SOLVED] pacman does not work with SUID bit set

Board footer