Shaman can (and should) be started by an unprivileged user. Root privileges will be granted and retired when needed, thanks to seteuid() and the SUID bit added to the executable. Many of you have probably heard that the SUID bit may be dangerous and unsafe. We heard it too, and security was our first concern when we decided to use seteuid(). Here is why:
- Shaman will run as normal user most of the time. Root privileges are granted when performing an alpm transaction or saving configuration, and retired right after.
- Using seteuid won't be unsafe, because we integrated a PAM-based password check. This means that root privileges will be granted ONLY if you enter the root password.
So you have the advantage that you can safely keep Shaman in your tray, since it is owned by your unprivileged user, and you have the guarantee that only people who know the root password will be able to perform transactions. This is, in our opinion, the better balance we could find between security and comfortability.
For more details, code is your reference, or you can refer to Ticket #19
