Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#65401 - Separation of privileges and reducing the use of root in pacman
Attached to Project:
Pacman
Opened by Eli Schwartz (eschwartz) - Friday, 07 February 2020, 01:11 GMT
Opened by Eli Schwartz (eschwartz) - Friday, 07 February 2020, 01:11 GMT
|
DetailsA useful tool for reducing the scope of security bugs would be to do fewer things as root. As suggested in https://lists.archlinux.org/pipermail/pacman-dev/2020-February/024030.html
For example if the internal downloader and XferCommand were to operate as a separate user e.g. "libalpm", which had write permissions for only /var/cache/pacman/pkg, the following bug would not have been able to write anywhere on the system, and would usually fail with a permission denied error: https://security.archlinux.org/CVE-2019-9686 The command injections in these bugs could similarly have avoided being able to run command injection *as root*, greatly reducing the scope of the damage they could do: https://security.archlinux.org/CVE-2019-18182 https://security.archlinux.org/CVE-2019-18183 |
This task depends upon
Comment by TJ (boogiepop) -
Wednesday, 19 February 2020, 02:34 GMT
Definitely need this.