yaourt non-root-user installation is a major securtity risk

[C0NPAQ]

Running yaourt as root is considerably more secure than the recommended non-root-user installation, precisely for this reasoning:

1. Yaourt package installations require root access in virtually all instances
2. Therefore the root password is queried and entered all the time if not executed as root
3. Anyone who creates a malicious AUR package can do a simple UID check and then either exploit the system directly, or fake the root password prompt (including the yaourt output that preceides it)
4. The probability that a non-forged AUR package contains unintentional installation-only malicious code is comparably low
5. Revealing the root password to an attacker, by typing it into yaourt, has a whole lot more exploit value than just gaining root access. E.g. no further programs, scripts or otherwise obvious or error-prone implementations are required to gain remote access if ssh is enabled, no obvious alterations to the system need to take place. The root password could also be in use by the user for PGP keys, email, other systems, future systems and thus those could be compromised as well. To reveal the root password by typing it into a terminal, is much more dangerous than root access alone.

Conclusion:
Yaourt enforces a much more hazardous exploit advantage by querying the root password during installation process. Yaourt should never ever require the user to enter the root password, because the prompt can never be validated to be authentic.

Instead if necessary, it should run commands that are deemed as insecure for root execution as a non-root user by itself. If that is currently not possible, root-only installation should be preferred (with security warning) and password prompt for user installation disabled entirely. A yet more secure but more annoying temporary alternative is to only dump pacman package files, which then can be installed as root in a completely separated process and terminal. Querying the root password however, when previously running user installation scripts, can never be secure and should be avoided at all cost.

[tuxce]

yaourt enforces nothing, yaourt uses makepkg which enforces non-root execution. And makepkg uses sudo, so the password prompt will remain whatever you change in yaourt.

Non root execution is not here to avoid the case 3. A malicious AUR package does not have to fake the root password prompt, it just have to put in the .install file a command that does what the attacker wants.

[C0NPAQ]

yaourt enforces nothing, yaourt uses makepkg which enforces non-root execution. And makepkg uses sudo, so the password prompt will remain whatever you change in yaourt.

This is not true, which is insanely obvious if you just look at the end-result. Yaourt promotes non-root execution and enforces it through necessarily requiring the use of makepkg.

Makepkg does not implement a major security hole, because it doesn't create a constellation where the user cannot at all verify the autheticity of the sudo prompt (= a start to finish installation command - afaik using makepkg requires many commands and the build and install command have to be separately executed). But yaourt exactly create this exploitable situation. Exploiting it is fast, easy scripting childsplay. Much unlike messing with suid stack overflow exploits or what else makepkg/yaourt are intending to secure against by not running as root. Obviously anything but the package install command can just be run as a separate user by the program, not the user.

Additionally, yaourt can no longer be executed as root because it will fail using the recent makepkg "--asroot bug". Thereby it effectively enforces to execute and install packages as non-root user. Maybe it is possible to install packages as suggested by myself through some command line options, but rest assured this is not what the majority of users do to install, and it is not suggested default behavior. The suggested default behavior is to run yaourt as non-root user if installing a package:

yaourt -S package

==> WARNING: Building package as root is dangerous.
Please run yaourt as a non-privileged user.

Non root execution is not here to avoid the case 3. A malicious AUR package does not have to fake the root password prompt, it just have to put in the .install file a command that does what the attacker wants.

Then how are the priorities here? What is this "dangerous" about?

[tuxce]

I don't understand what this issue is about...

1. root execution no more possible due to makepkg changes
2. the authenticity of sudo prompt

1 :
yaourt can no longer be executed as root because makepkg can no longer be executed as root, it's not a bug, it's what makepkg's authors wants : https://bugs.archlinux.org/task/43302
The stable version displays a warning but the git version with 1997977 removes it and provides the possibility to define an alternative to makepkg : #67

2 : beside the fact that an attacker does not have to fake sudo to gain root access, I don't understand what you meant by constellation (EDIT: before the edit of previous comment), yaourt calls sudo for each aur package and its dependencies, and so makepkg.

[C0NPAQ]

I am not sure how much of this is caused by makepkg, but just think about it. I will never ever enter my root password anywhere but su in a fresh urxvt. It takes a long way for an attacker to go from root access to root password. Forged AUR packages are the most likely attack vector. Yaourt should simply not allow or require easily exploitable root password entry, no matter why or how.

[tuxce]

It takes a long way for an attacker to go from root access to root password.

Replacing any command that asks for the password will make it.

Anyway, you'll find in #67 (comment) how to do if you want to run yaourt as root.

[C0NPAQ]

OK. I looked at yaourt and makepkg. What you have to do is simply:

1. disable non-root execution, simply reverse the root warning and fail with "must be root"
2. Implement check for sudo to be present
3. sudo execute makepkg and any other user scripts as nobody by default (not sure if nobody works, if not make and check for more privileged yaourt user)

Maybe generate and show random characters at the beginning and at the end, e.g. "Xgk" or "6lz" to secure against prompt hijacking.

[tuxce]

1. no, because I (and I think many other users) use yaourt as a normal user or a user that can only use pacman.
2. already implemented (yaourt uses sudo since its start)
3. there is no other command than makepkg. You can already use $MAKEPKG (as an environment variable or in yaourt configuration) to set an alternative command to makepkg.

Something like (not tested) :

custom_mpkg () {
  chown -R nobody .
  # ... you also need to give write access for the destination folders. 
  sudo -u nobody makepkg "$@"
}
MAKEPKG=custom_mpkg

Focusing on the sudo prompt have no sense if you are not sure about the package you're going to install from AUR, because this package will have the possibility to run commands as root !

[C0NPAQ]

Well I must say overall I just see that an evaluation of "package will have the possibility to run commands as root [anyway]" is already a very avoidable security risk, if this is not simply about a shortcoming in development of either yaourt or makepkg.

The way it just should work is that the package is build by a non-root user in chrooted environment, like makepkg does it. I don't see how this can be so hard to accomplish (maybe due to makepkg issues?). If you simply used "makepkg -s" as a non-root user on a package you can copy&paste from archlinux abs, then you get a tar.xz that you can install with pacman as root. I would most of all things believe that yaourt should aim to do exactly this, but with package files from AUR and in an automated manner for the different download, build, install commands. Obviously this requires yaourt to have root access to eventually install the package. Anything other than this behavior is effectively just a "lack of implementation" and carries dangerous details with it, like prompt hijacking when requiring root password entry during installation.

Don't take this the wrong way, but I am just looking at the whole issue from this perspective and try to find the cheapest and fastest method to increase security on the spot. As it is now, it is pretty damn insecure and it doesn't have to be. I am not involved in whatever details that might be problematic here (like e.g. makepkg lacking functionalities to interact with yaourt scripts?).

[regeya]

My annoyance is that, in order to seamlessly, without nags, run an automated update of system-wide aur packages, one has to add pacman to sudoers. I don't like that; it feels even less secure than 'sudo yaourt -Syua' to me.