Use a different user for downloading and verifying packages / repodata

[ericonr]

I talked about this quickly with @maldridge on #xbps. It's what the title says, and I would be interested in implementing it. The idea is to isolate the part that deals with the outside world and not have it run as root. We could even come to have an AppArmor profile for it (this for the far future, though).

It would only support changing the user if it was running as root. Methods for changing user:

• fork and setuid
• exec with different user (could require a new executable or a new flag telling xbps-install where to put downloaded packages)

Architecture:

• Download and check packages in /var/cache/xbps-temp; if everything checks out, move packages to /var/cache/xbps/. We would have some way of cleaning the temporary dir or otherwise invalidating it to protect ourselves from using bad files. This would allow existing set-ups to work normally.
• Call the user xbps or have some way of configuring the user id for downloads in /etc/xbps.d.
• Only install packages if everything checks out perfectly.

I'm throwing these ideas here so I can try to come up with a sound(er) first implementation, and with mechanisms agreed upon by everyone.

[ericonr]

      duncaen │ one issue with splitting out is that there are other codepaths in xbps-query that use libfetch
      duncaen │ and you need some kind of IPC or something I guess to keep keepalive working and also keep /var/cache/xbps only root writable
      duncaen │ so xbps would pass a open fd and a url for each package to download to a xbps-fetch process

[kevlar700]

The usual practice is setreseuid and using a Unix socket. You may not even need a file descriptor though that is the usual way of doing it. The other option may be to use a secure language like Ada, Rust with no unsafe or Go without C as the downloader or exec an existing downloader with this privilege dropping functionality or ran as a restricted user.