2

This is a question about the design choices of *nix, not how to avoid it.

What is the purpose for requiring root access to install most packages? It seems like a potential security hole to require you to use root, as most packages won't need to modify the kernel or need root privileges to run. If the purpose is just to install the package once per machine for all users to save space, then why not have a different non-root user for this purpose?

Update : I am presuming here that packages installed without root access would not be installed to the root protected dirs, but somewhere else instead.

ACyclic
  • 923
  • 1
  • 7
  • 9
  • You're probably interested in reading about [SELinux](http://en.wikipedia.org/wiki/Security-Enhanced_Linux). – Daniel Andersson Aug 21 '13 at 16:48
  • 2
    How else will those packages write to protected directories? OS X and Windows does the samething, if every operating system requires you to esclaate the permissions, there must be something to it. – Ramhound Aug 21 '13 at 16:50
  • @Ramhound : Updated question to make it clearer – ACyclic Aug 21 '13 at 16:54
  • @DanielAndersson : Is that an explanation or are you agreeing with me? AFAIK SELinux is even more sensitive to allowing root access, so this question applies doubly. – ACyclic Aug 21 '13 at 16:56
  • If you were to choose another user with broad access to shared system directories, wouldn't the same question you are asking apply to that user as well? – FatalError Aug 21 '13 at 16:59
  • The question holds water. Not every program needs to write to protected directories. The reason I think is that most packages are packaged in a way to be installed in protected directories, as they are meant to available to the entire system. If you unpack the package they typically have a folder structure of the root dir of the OS but with only the files necessary for the program put in the folders where they need to go. Take a look at this https://blogs.oracle.com/ksplice/entry/anatomy_of_a_debian_package – jmathew Aug 21 '13 at 17:03
  • @FatalError : A shared-install user could install something to hijack other users accounts, but not root. But my point is that in the world of plentiful disk space, each user can install their own copy of each library so no shared-install-user or read-only-shared-install-dir is required or desired. – ACyclic Aug 21 '13 at 17:04
  • Further it should be noted that various distros do packaging differently. You've got your DEBs, RPMs, Arch's tars. Some don't do it at all like gentoo opting instead to compile from source in which case you could configure it so that it installs to the user's own directory. – jmathew Aug 21 '13 at 17:08
  • Just imagine situation when user can install or change system `ls`, `passwd`, `ssh`, etc. binaries... – september Aug 21 '13 at 17:09
  • @jmathew : But all distros use the same sources, which assume root access to install and gentoo has to do significant work to undo that assumption – ACyclic Aug 21 '13 at 17:15
  • @september : I agree, but those are not "most" packages. Some binaries (setuid, ls, etc.) do obviously require root privs, those that root requires to run, or those that require root privs to execute (eg. sshd). – ACyclic Aug 21 '13 at 17:17
  • @NYCBrit I don't think all sources assume root access is required. They shouldn't assume anything other than the tools needed to compile it. Source packages vary but many source packages you can set a `--prefix` configure flag telling it where to install when you do `make install`. I used it once to create a localized copy of perl with the modules I needed as a low privileged user. – jmathew Aug 21 '13 at 17:33
  • @NYCBrit Also what indicated that gentoo has to do "significant work" to install to user selected directories? – jmathew Aug 21 '13 at 17:40
  • @jmathew - The same work Microsoft has done to get installlers to use the User profile directory ( not protected )installed of a local file in the installation directory ( protected ). These packages only need root access if are not specific in where they should be extracted. – Ramhound Aug 21 '13 at 17:50
  • @NYCBrit: SELinux gives finegrained permission control, not letting programs go outside their bounds. It's meant to solve privilege problems where an application modifies data it's not meant to handle. Installing as root in general is a safeguard against programs spilling over on others _during execution_, since they're in general not _executed_ as root (sans core system tasks). `www-data` might run Apache, etc. _This_ is the real security model — not ownership of the binary (SELinux brings additional control). There is also merit in system-wide binaries not being modifiable by regular users. – Daniel Andersson Aug 21 '13 at 17:54
  • @Ramhound Are we agreeing here? I'm a bit confused. I'd like to make a distinction between "source archives" and "packages". Source archives contain the source code for the program, which, once compiled, can be installed anywhere. Packages on the other hand which are pre-compiled binaries and supporting files which are copied into typical system directories by a Package Manager. Changing where the Package Manager installs files is dependant on it and it varies by distro. Gentoo manages source archives and compiles them locally. So gentoo can easily set the install dir flag to a user dir. – jmathew Aug 21 '13 at 18:06
  • @jmatthew : Yes configure does provide --prefix and --exec-prefix to allow users to build & install locally. My question is why is that not the default practice? It doesn't always work (probably as it's not the default setting, so it's not always tested by the author). Why is the default advice given to use sudo make install? – ACyclic Aug 21 '13 at 19:27
  • @DanielAndersson : Thanks. The security hole I referred to is in the actual install process. I don't expect many sysadmins/packager-maintainers go through every line of install code and can be 100% sure the install process doesn't contain a trojan. 2) Yes system-wide binaries & SELinux make sense if you don't trust the executing user's code - but SELinux is extra work that is only useful enough where you don't trust the data, eg. the domain of internet servers. – ACyclic Aug 21 '13 at 19:36

1 Answers1

7

As others have noted in the comments, an obvious reason for requiring root permissions is that pre-built packages install to shared system directories, which shouldn't be writable by just anyone. Why not "a different non-root user"? I'd say because enough packages need to make changes to shared system files and directories that it's not worth the complexity of keeping track of which packages really need root and which don't, and because not installing as root doesn't buy you all that much -- you're already putting your faith in the vendor for a lot of the core packages, so what's a few more. But ultimately, yes, there is a security trade-off, and it seems the vendors have decided that simplicity wins here.

This brings us to the question of why packages can't just be installed to, say, a user's home directory. Actually, in many cases, they can, but only if you use a source-based distribution, like Gentoo. In that case, you just compile the program with an appropriate --prefix or similar argument (many, but not all, pieces of software support such a concept). Most distros are binary-based, though, and in that case, the problem is that many Unix programs are written in such a way that various paths are hardcoded into the program at compile-time, and a ton of work and coordination would be required to change this when you're dealing with thousands of packages and their maintainers. Coordination is especially difficult in the Unix world, since there are relatively many system vendors, unlike Windows, where Microsoft can dictate changes to a great extent -- and even Microsoft has trouble getting everyone to fall in line, hence the need for compatibility measures like UAC Virtualization.

Going more into the hardcoded path issue, consider a program foo that needs to access its database of some sort. Where is this file? A plausible path is /usr/share/foo/foo.db, which would be hardcoded into the program, so that it knows exactly where to look. You might object that a program could simply try $HOME/usr/share/foo/foo.db or similar if it doesn't find its hardcoded file. This is true, and this would be nice, except there's no real standard or convention for this sort of thing, so most programs just don't implement such a fallback mechanism (that coordination problem, again). And arguably, it also adds complexity that benefits a relatively small part of the user population, but that's another can of worms.

A related problem is how a program loads shared libraries it depends on. The dynamic linker, ld.so, needs to know where to find all these shared libraries. Basically, a list of paths can be (again) hardcoded into the executable at compile-time, in which case ld.so will search these paths first; failing that, ld.so searches the directories configured in /etc/ld.so.conf. This problem is actually relatively easy to overcome, e.g., by setting the LD_LIBRARY_PATH environment variable appropriately.

So, the bottom line is just that a lot of programs aren't designed to be flexible (at runtime) about how they find their files, and consequently, the packaging developers don't find it worthwhile to offer the option of installing to alternate directories. It's not that this is technically impossible -- just that so far, there hasn't been the will to create a standard and make everyone follow it. For an example showing how it's not technically impossible, you might take a look at my answer for this question: Install git on server without sudo. Note how it's kind of an ugly workaround, and that's the sad state of things.

For the record, I actually share your frustration in not being able to easily install binary packages to alternate locations, and I've spent considerable time and effort over the years in either compiling packages manually or working around packaging issues (in ways similar to the question I linked to in the previous paragraph) when running on systems where the sysadmins aren't cooperative about installing packages I want to use.

Community
  • 1
jjlin
  • 15,462
  • 4
  • 51
  • 51
  • Thanks, great answer! Yes it is frustrating that this big issue is ignored & only solved specifically. As a follow-up question, do you know if the maintainers of autotools acknowledge this problem? – ACyclic Aug 21 '13 at 20:53
  • Sorry, I don't know, but that wouldn't do that much to solve the problem. I'd be surprised if autotools is used by even a simple majority of all Unix software out there. I think only a standards body would have a chance at solving this, or if all the major vendors somehow got together and agreed on something. Even then, it'd take years for broad adoption. – jjlin Aug 21 '13 at 21:48