FS#34656 : Paccache privilege escalation through "su -c" fails

FS#34656 - Paccache privilege escalation through "su -c" fails

Attached to Project: Pacman
Opened by Alexander Blinne (Sunday) - Sunday, 07 April 2013, 12:50 GMT
Last edited by Allan McRae (Allan) - Tuesday, 16 April 2013, 02:34 GMT

Task Type	Bug Report
Category	Scripts & Tools
Status	Closed
Assigned To	Dave Reisner (falconindy)
Architecture	All
Severity	Low
Priority	Normal
Reported Version	4.1.0
Due in Version	4.1.1
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
When paccache is used to remove old package archives (paccache -r) and "su -c" is used for privilege escalation packages can not be deleted.
Privilege escalation fails because the passwort can't be given to su.
I believe this to be caused by the patch http://archlinux.2023198.n4.nabble.com/PATCH-paccache-use-xargs-to-execute-mv-rm-commands-tc4684182.html, which changes command execution to using xargs and a pipe. The pipe disconnects stdin from su and it is not possible to pass the password to su. Every keystroke at the passwort prompt is printed to the screen.
I don't know if the same problem also affects sudo.

Additional info:
* package version(s)
pacman 4.1.0-2

Steps to reproduce:
Disable sudo and run 'paccache -r'. If there are packages to be removed the problem will occur.

This task depends upon

Closed by Allan McRae (Allan)
Tuesday, 16 April 2013, 02:34 GMT
Reason for closing: Fixed
Additional comments about closing: git commit 597286eb

Comment by Alexander Blinne (Sunday) - Sunday, 07 April 2013, 15:50 GMT

This problem has been discussed in https://bbs.archlinux.org/viewtopic.php?id=161042 and a solution has been proposed.

Comment by KaiSforza (KaiSforza) - Sunday, 07 April 2013, 16:07 GMT

I just ran this (I don't know how exactly you're doing it) but using

$ su -c "paccache -r"

works perfectly fine.

Comment by KaiSforza (KaiSforza) - Sunday, 07 April 2013, 16:11 GMT

Oh, I see what you mean, nevermind. That is quite an issue.

Comment by Alexander Blinne (Sunday) - Sunday, 07 April 2013, 16:14 GMT

Please read the thread in the forum that i linked to. paccache is supposed to do the privilege escalation by itself and only do the actual removal operation as root while doing everything else with user privileges only. So if you run "paccache -r" as a normal user it should look around for packages to be deleted and then, if there are any, ask for the root password. This fails in the current version.

Comment by Allan McRae (Allan) - Thursday, 11 April 2013, 05:58 GMT

Task assigned to Dave Reisner (falconindy)

@Dave: it is possible for you to have a quick look at this?

Comment by Dave Reisner (falconindy) - Thursday, 11 April 2013, 13:46 GMT

https://mailman.archlinux.org/pipermail/pacman-dev/2013-April/016996.html

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#34656 - Paccache privilege escalation through "su -c" fails

Details

Loading...