You are not logged in.

#1 2005-06-04 07:15:02

Cam
Member
From: Brisbane, Aus
Registered: 2004-12-21
Posts: 658
Website

security question

Are there any security issues in doing something like this?

chown -R cam:users /var/lib/pacman

I've started doing a bit more work on my pacman desklet, which previously needed to be run as root (major issue IMO) to work due to file permissions. It uses libpypac, this is just for syncing with the online package database, == to pacman -Sy.

I backed up the tree in case and chowned the files to myself and the desklet runs no issue so my questions is this a problem? Can I leave it like this?

Thanks smile

Offline

#2 2005-06-04 10:47:22

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: security question

that'd be fine, but any changes made by pacman are likely to be reverted back to root:root.

Preferably you would chown it root:pacman, and then chmod them all 775, so the group pacman has permissions.

Then add your user to the group 'pacman'.

Or what would be the best way, would be to add a /etc/sudoers line for pacman with visudo so your user doesnt need a password for pacman.

Offline

#3 2005-06-04 11:27:17

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: security question

Only way to take advantage of that chown is to replace a 'files' from there with help of some exploit in an app run as user cam (or group users if they also have write permission) and hope that that package is uninstalled, deleting any files at choice.

So all in all, it's pretty safe.

Offline

#4 2005-06-04 17:49:45

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: security question

I think iphitus's solution to add the user to the sudoers list for the pacman app only is the best solution..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2005-06-05 23:31:29

Cam
Member
From: Brisbane, Aus
Registered: 2004-12-21
Posts: 658
Website

Re: security question

cactus wrote:

I think iphitus's solution to add the user to the sudoers list for the pacman app only is the best solution..

How about the pacman group solution? I like the sound of it better but does anyone else see a potential problem with it?

Offline

#6 2005-06-05 23:46:19

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: security question

other than pacman creating new files with different groups when it runs. You would have to modify the root user account to write all files with group pacman, which could indeed open up vulnerabilities. Either that or rerun the chown on a regular basis in the directory.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#7 2005-06-06 15:11:04

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: security question

cactus wrote:

other than pacman creating new files with different groups when it runs. You would have to modify the root user account to write all files with group pacman, which could indeed open up vulnerabilities. Either that or rerun the chown on a regular basis in the directory.

I personally like the pacman group idea... maybe a feature request in the bug tracker would work..... have pacman setup to write as pacman.pacman ?

Offline

Board footer

Powered by FluxBB