Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.

FS#65401 - Separation of privileges and reducing the use of root in pacman

Attached to Project: Pacman
Opened by Eli Schwartz (eschwartz) - Friday, 07 February 2020, 01:11 GMT
Task Type Feature Request
Category Backend/Core
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 8
Private No


A useful tool for reducing the scope of security bugs would be to do fewer things as root. As suggested in

For example if the internal downloader and XferCommand were to operate as a separate user e.g. "libalpm", which had write permissions for only /var/cache/pacman/pkg, the following bug would not have been able to write anywhere on the system, and would usually fail with a permission denied error:

The command injections in these bugs could similarly have avoided being able to run command injection *as root*, greatly reducing the scope of the damage they could do:
This task depends upon

Comment by TJ (boogiepop) - Wednesday, 19 February 2020, 02:34 GMT
Definitely need this.