Yay: ask for sudo password in the beginning (for AUR packages)

Created on 26 Mar 2020  路  8Comments  路  Source: Jguer/yay

Affected Version

yay v9.4.6 - libalpm v12.0.1

Issue

When installing packages from a repo, the user is asked to enter the sudo password for root-rights right away. If yay is asked to install an aur package, yay first builds the package, while asking when the first package is built for the sudo password.

While we can determine in the beginning, that we're supposed to install a program, why not ask right away for the sudo password and run the sudo loop - even for aur packages?

This would avoid that a package is build but the installation isn't completed, because the user took to long to enter the sudo password.

picture RubenKelevra

Most helpful comment

Sudoloop is disabled by default for security reasons.

yay -Y --sudoloop --save should set it as default but beware that tty will have no password prompt while yay is running

picture Jguer on 31 Mar 2020
👍3

All 8 comments

Won't this be a security issue?

Fogapod picture Fogapod on 29 Mar 2020

@Fogapod it wouldn't change anything from a security perspective: If your AUR build needs a dependency which hasn't been installed before you get the proposed behavior.

It's just in the rare case, that you have all dependencies already installed, that it's asking for the password late in the process.

RubenKelevra picture RubenKelevra on 29 Mar 2020

wouldn't yay -S <aur-package> --sudoloop do what you want? (Normal precautions when suggesting --sudoloop apply)

Either way, if we ask for sudo right away on an AUR transaction, the most likely would be the it would timeout and ask again on the install part

Jguer picture Jguer on 30 Mar 2020

wouldn't yay -S <aur-package> --sudoloop do what you want? (Normal precautions when suggesting --sudoloop apply)

Yes, that's exactly what I was looking for. Isn't sudoloop standard?

RubenKelevra picture RubenKelevra on 30 Mar 2020

Sudoloop is disabled by default for security reasons.

yay -Y --sudoloop --save should set it as default but beware that tty will have no password prompt while yay is running

Jguer picture Jguer on 31 Mar 2020
👍3

Alright, thanks for the clarification :)

RubenKelevra picture RubenKelevra on 18 Apr 2020

@Jguer Your answer was linked as explanation to sudo loop behaviour.
Could you link to an explanation for why this is a security problem or shortly explain here?
As I understand it, it just asks again for sudo access if the first request timed out?
Thanks :)

xuiqzy picture xuiqzy on 18 Apr 2020

I believe it's well described in the comment that lead it to be disabled by default (https://github.com/Jguer/yay/issues/147#issuecomment-366024535)

I believe it can be summed up to this:

sudo credentials are cached by the TTY and if you walk away from the computer while yay is running, another person can come by, CTRL+C the running program, and gain access to a sudo session.

Jguer picture Jguer on 19 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ricochet1k picture ricochet1k  路  4Comments
AdrienLemaire picture AdrienLemaire  路  3Comments
pantuts picture pantuts  路  3Comments
x70b1 picture x70b1  路  4Comments
bazeeel picture bazeeel  路  4Comments