User: Password:
Subscribe / Log in / New account

Fedora 12 and unprivileged package installation

Fedora 12 and unprivileged package installation

Posted Dec 1, 2009 13:38 UTC (Tue) by simlo (guest, #10866)
Parent article: Fedora 12 and unprivileged package installation

Isn't the main problem that RPMs can't be installed in the users home directory instead of /? Then any user could install any RPM he wants to without being root. Ofcourse, it wouldn't make sense for system level programs, but for normal applications it would be really nice. It would require a lot of changes to each RPM, but I would say it would be worth it instead of opening for security hacks like these.

Otherwise, / should be uid dependent and therefore each user could see his own version of the installed software base without affecting the other users or the system. I think I read somewhere, that Plan9 can do just this. Can namespaces in Linux be used for this?

(Log in to post comments)

Fedora 12 and unprivileged package installation

Posted Dec 3, 2009 23:26 UTC (Thu) by nix (subscriber, #2304) [Link]

Filesystem namespaces can be used for this, but allowing users to modify a
private copy of / has security implications: many many programs assume
that things in /etc aren't modifiable except by privileged users (trivial
example: /etc/passwd, /etc/shadow).

Fedora 12 and unprivileged package installation

Posted Dec 5, 2009 23:23 UTC (Sat) by kasperd (guest, #11842) [Link]

If you want to go that way, I think the rpms should be installed in a directory named something similar to /var/usr/$USER.

The entire hierarchy under /var/usr should be writable only by some system user, installing packages should be done by a program that is suid to that user.

If two users installs the same package, then the files can be hardlinked into both users' directories. The program to perform the install can also manage some sort of quotas.

Obviously it should not be possible to install any suid or sgid executables or any device inodes. Running the install as a non-root user guarantees part of that.

There is a problem with how programs find their files. They would either need to be modified to use the USER environment variable, or you would need a symlink somewhere that magically points to /var/usr/$USER and then use paths through that. (There are already symlinks in /proc that magically changes depending on which process access them, so adding another magical symlink doesn't seem too far fetched). Of course it may still be problematic that an rpm can either be installed in the normal location by root or a different location by somebody else. Could be worked around by building two versions of each rpm.

The only reason I suggest a directory name depending on the user is, that one user installing a program shouldn't cause that program to show up in another user's path. Each user would have /var/usr/$USER/bin in their path, and only see programs they want to see there.

If some files are accessed by a path that is determined at compile time, maybe those should be put into a common directory instead. That would avoid most of the user dependent path requirements. Say user1 installs app with a binary named app and a library named, then each file of the two files could be hardlinked in two locations.


And user1 would access /var/usr/user1/bin/app from the path which would then use /var/usr/common/lib/ The common directories shouldn't be in any path, but if you want to specify the absolute path to for example an executable you would use the one in /var/usr/common/bin/app.

I may have missed some details that would need to be figured out, but I'm pretty sure it can be made to work within the normal unix security model, if anybody wants to do the work.

Fedora 12 and unprivileged package installation

Posted Dec 6, 2009 1:52 UTC (Sun) by nix (subscriber, #2304) [Link]

I think that's half-right. You want the /var/usr/$USER idea, sure, but it
is bind-mounted by pam_mount into a per-user private mount, maybe /usr/usr
(ew, maybe somewhere else) and *that* is what is referenced in PATHs.

(Most of the rest of your post is talking about problems that GNU stow and
graft and other similar systems have long considered and solved. Suffice
to say that systems built from symlink farms are quite practical. Hell,
systems built from symlink farms *at runtime*, so users can have per-user
and even per-session package selection are practical, although the farm
construction might take a second or two. I've implemented a couple of
systems like that myself...)

Fedora 12 and unprivileged package installation

Posted Dec 10, 2009 14:07 UTC (Thu) by vonbrand (guest, #4458) [Link]

Plan9, were art thou...

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds