Arch Linux

Description:

As per good sysadmin practices, I try to avoid running pacman with root priviledges unless it is absolutely necessary e.g. for tasks such as querying an installed package information, I execute pacman as my normal user account. If I do need to run it with root priviledges, e.g. to install a package, I then use sudo.

I've noticed that when performing a package query, as my normal user, I've been getting error messages such as:

error: could not open file /var/lib/pacman/local/pan-0.133-1/depends: Permission denied
error: could not open file /var/lib/pacman/local/udev-135-1/depends: Permission denied
error: could not open file /var/lib/pacman/local/xdm-archlinux-0.3-2/depends: Permission denied
error: could not open file /var/lib/pacman/local/xorg-font-utils-7.4-1/depends: Permission denied
Name : ati-dri
Version : 7.2-1
URL : http://xorg.freedesktop.org/
Licenses : None
Groups : None

even when not querying the packages for which the error messages are being generated.

It seems that the root cause of this is that I've set the umask on my normal account to 0x077, preventing created files and directories from being world and group readable, instead of the Arch Linux default of 0x0022. When I install a package via "sudo pacman -S <pkg>", it seems that the 077 umask from the normal account is being applied to the new package subdirectory. This results in package subdirectory permissions of 0x700. Before I made this umask change, there are also package subdirectories with permissions of 0x755, which explains why I can still query information about some packages. So I've ended up with package subdirectories with a mix of 0x755 and 0x700 permissions in /var/lib/pacman/local e.g.:

drwxr-xr-x 2 root root 4096 2008-12-28 07:59 poppler-glib-0.10.2-1
drwxr-xr-x 2 root root 4096 2008-12-28 07:59 poppler-0.10.2-1
drwx------ 2 root root 4096 2008-12-28 07:59 xorg-font-utils-7.4-1
drwxr-xr-x 2 root root 4096 2008-12-28 07:59 xkeyboard-config-1.4-2
drwxr-xr-x 2 root root 4096 2008-12-28 07:59 xf86-video-radeonhd-1.2.4-1
drwxr-xr-x 2 root root 4096 2008-12-28 07:59 xextproto-7.0.4-1
drwx------ 2 root root 4096 2008-12-28 07:59 udev-135-1
drwxr-xr-x 2 root root 4096 2008-12-28 07:59 ati-dri-7.2-1
drwxr-xr-x 2 root root 4096 2008-12-28 08:05 xf86-video-ati-6.9.0-6
drwxr-xr-x 2 root root 4096 2008-12-28 08:06 xf86-video-vesa-2.1.0-1


Comparing this setup with another vanilla Arch Linux install, without my umask change, all the package subdirectories in /var/lib/pacman/local have directory permissions of 0x755.

I think it would be useful if pacman explicitly set the permissions on these package subdirectories, ignoring the current umask value.

The current default permissions of 0x755 are probably ok for most Arch Linux installs, however I think there might be some security value in also having permissions of, e.g. 0x700, so that normal users wouldn't be able to query package information. So I'd suggest that the directory permissions (and possibly directory owner and group) to use be an option in /etc/pacman.conf. This would allow me to overcome my umask/sudo/pacman interaction problem, and also allow people to control which users can see system package information.

Thanks,
Mark.



Additional info:
* pacman 3.2.1-2 (x86_64 and i686)



Steps to reproduce:

umask 077
sudo pacman -S <pkg>