-
-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sudo loop temporarily locking user accounts (and is probably broken in general) #2170
Comments
That's pretty far fetched... a more realistic scenario (and a problem with time outs in general) is that building process have persistent root access. For example, one package (overlayfs-tools) I maintain calls I vaguely recall |
I'm more tempted to remove Just have no way of measuring how much it's used and if it fills a niche that sudoers config doesn't fulfill |
That rule would allow to run Which from a user perspective (assuming any build completes within the configured timeout) is the same as |
my bad, Privilege dropping as it's implemented now drops you into a temp user if you're using actually root or if the sudo, doas: ogCaller := ""
if caller := os.Getenv("SUDO_USER"); caller != "" {
ogCaller = caller
} else if caller := os.Getenv("DOAS_USER"); caller != "" {
ogCaller = caller
}
if userFound, err := user.Lookup(ogCaller); err == nil {
cmd.SysProcAttr = &syscall.SysProcAttr{}
uid, _ := strconv.Atoi(userFound.Uid)
gid, _ := strconv.Atoi(userFound.Gid)
cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)}
return cmd
} su: cmdArgs := []string{
"systemd-run",
"--service-type=oneshot",
"--pipe", "--wait", "--pty", "--quiet",
"-p", "DynamicUser=yes",
"-p", "CacheDirectory=yay",
"-E", "HOME=/tmp",
} Not a big fan of running as root but it does work for this usecase. Could argue that setting sudo to nopassword could be more dangerous as it's systemwide |
It's probably fine if you use a separate user for that which does no other tasks and has a password itself |
Building processes shouldn't need or get any root access. If there is no other way (experimental dev builds) In the quote above it is also emphasized that the problem is with persistent root access. While it shouldn't be persistent, Yay could still be able to help by caching it for selected operations during its run.
Malicious or not these calls shouldn't get the privileges even if they were cached. Yay would use them only for selected operations and if it ordinarily didn't ask for
This seems like something needed for a secure privilege-caching implementation. Yay could fork a privileged process with This would render |
Sorry haven't read this whole thread... but sitting in waiting for I'm here because of a related reason, not sure it it warrants a ticket of its own yet... just found the issue tracker and code... will jump in and see... (https://forum.endeavouros.com/t/yay-deadlock-shouldnt-give-up-should-keep-trying/54313/22) Just thinking out loud here - but what if, instead of going into |
I did a quick scan through the source, and couldn't find the point at which that could potentially be inserted... but I did notice an obvious alternative approach: Problem in general, that I also don't yet understand, is how is root abuse by package maintainers, prevented? Any pointers would be appreciated. |
No, you haven't read any of this thread and I think it's high time you do it. More than half of your questions/proposals, such as an explanation on hitting the 3-strikes limit, are explained already in the OP, which you apparently didn't read either. And the discussion already includes your other proposals, and further, so next time please add something new. And remember that sometimes it's easier to, you know, just read the thread. And when you don't still read the OP. |
Affected Version
yay v12.0.4 - libalpm v13.0.2
Describe the bug
--sudoloop
runssudo
in a loop to prevent password input dialogue timeout, which sounds very simple at first glance and should work. Unfortunately, it's not that simple. In modern distros such approach usually causes trouble due to the fact that eachsudo
execution resulting in timeout counts as an unsuccessful login attempt, in combination with:(source: ArchWiki)
It's possible to disable this feature, but that's not a solution since it might be desired otherwise. The net result of everything is that
--sudoloop
only seemingly preventssudo
timeout, but in reality it only prevents input prompt timeout while it does more harm than good in the background. Account lockups have been reported before in #1379.--sudoloop
is probably broken. Also, even if the correct password is put in after the account has been locked, bothsudo
andyay
fail awkwardly and uninformatively:Again, user sees this output after putting in the correct password after some time. Seeing such errors I didn't even dare to try with an incorrect one! :)
Reproduction Steps
yay -Sy(u) --sudoloop ...
sudo
asks for password (before installlation), wait for it to timeout multiple times (given thepam_faillock
settings)Expected behavior
Both presented solutions solve the issue, but the second one is only appropriate as an optional one due to security compromises. The best solution would be to incorporate both since they are compatible.
Solution 1: default
A KISS
--sudoloop
replacement as proposed before:yay
tries to authenticate the user only once and waits for them to be ready before retrying. This not only replaces--sudoloop
with a less bruteforce approach, but is also probably safe enough to be default.Solution 2: optional
It has been requested many times for
yay
to be able to acquire privileges in the beginning (ask forsudo
password only once) and then execute privileged and non-privileged tasks as necessary:sudo
timeout after long build necessitates long rebuild #1831--sudoloop
is often mentioned as a solution, but a proper solution of this feature request would effectively make--sudoloop
obsolete and resolve the present issue as well. There's also an argument against:The argument stands, but it ultimately falls under physical security, which software can try to help with, but can never guarantee. Users running
--sudoloop
already make compromises so there's no reason an optional, more comfy and less secure way is provided if--sudoloop
is/was as well. With all the proper warnings of course.Furthermore,
yay
could make use of a child process with elevated privileges and not acquire or drop them elsewhere, hardening the security a bit to prevent simplest physical attacks such as the one above. But this is an extension probably belonging in a separate feature request.The text was updated successfully, but these errors were encountered: