bedrocklinux · netkv · Aug 4, 2023 · Aug 5, 2023 · Aug 5, 2023 · Aug 5, 2023
diff --git a/src/slash-bedrock/etc/bedrock.conf b/src/slash-bedrock/etc/bedrock.conf
@@ -552,14 +552,14 @@ ignore-non-system-package-managers = true
 
 #
 # Some package managers such as yay recommend against running as root.  If pmm
-# is called as root, pmm will call such package managers with this user via
-# `sudo`.
+# is called as root, pmm will call such package managers with this command.
 #
-# sudo sets $SUDO_USER accordingly and is thus a good general default if pmm is
-# called via sudo.  If you do not use this, consider setting it either your
-# primary user or a dedicated unprivileged user.
+# sudo sets $SUDO_USER accordingly and `sudo -u $SUDO_USER` is thus a good
+# general default if pmm is called via sudo.  If you do not use this, consider
+# setting it command you use for changing user and to either your primary user
+# or a dedicated unprivileged user.
 #
-unprivileged-user = $SUDO_USER
+drop-privileges-command = sudo -u $SUDO_USER
 
 #
 # Most package managers support only a subset of available operations.  If a

diff --git a/src/slash-bedrock/libexec/pmm b/src/slash-bedrock/libexec/pmm
@@ -68,10 +68,17 @@ am_root=1"
 fi
 
 #
-# Gather unprivileged user
+# Gather command for switching into unprivileged user
+# If user's configuration doesn't have [pmm]/drop-privileges-command, fallback
+# to "sudo -u [pmm]/unprivileged-user" as this is backwards compatible.
 #
-initialize_awk_variables="${initialize_awk_variables}
-unprivileged_user=\"$(cfg_value "pmm" "unprivileged-user" | sed -e "s/['\"\\]/\\\&/" -e "s/^x//")\""
+if [ -n "$(cfg_value pmm drop-privileges-command)" ]; then 
+	initialize_awk_variables="${initialize_awk_variables}
+	drop_privileges_command=\"$(cfg_value "pmm" "drop-privileges-command" | sed -e "s/['\"\\]/\\\&/" -e "s/^x//")\""
+else
+	initialize_awk_variables="${initialize_awk_variables}
+	drop_privileges_command=\"sudo\ -u\ $(cfg_value "pmm" "unprivileged-user" | sed -e "s/['\"\\]/\\\&/" -e "s/^x//")\""
+fi
 
 #
 # Check if warnings are desired when skipping package managers.
@@ -789,14 +796,14 @@ function prep_shell_environment(stratum, package_manager, items, cmd,
 	output = "export stratum=\""shell_escape(stratum)"\";"
 	output = output " export package_manager=\""shell_escape(package_manager)"\";"
 
-	if (!am_root || cmd !~ /[$]\{unprivileged_user\}/) {
-		output = output " export unprivileged_user=\"\";"
-	} else if (unprivileged_user == "") {
-		abort("/bedrock/etc/bedrock.conf [pmm]/unprivileged-user is unset but `"cmd"` requires it.")
-	} else if (unprivileged_user ~ /^[$]/ && ENVIRON[substr(unprivileged_user,2)] == "") {
-		abort("/bedrock/etc/bedrock.conf [pmm]/unprivileged-user is set to "unprivileged_user" but that envvar is empty/unset.\nEither populate envvar or change bedrock.conf [pmm]/unprivileged-user to run `"cmd"`")
+	if (!am_root || cmd !~ /[$]\{drop_privileges_command\}/) {
+		output = output " export drop_privileges_command=\"\";"
+	} else if (drop_privileges_command == "") {
+		abort("/bedrock/etc/bedrock.conf [pmm]/drop-privileges-command is unset but `"cmd"` requires it.")
+	} else if (drop_privileges_command ~ /^[$]/ && ENVIRON[substr(drop-privileges-command,2)] == "") {
+		abort("/bedrock/etc/bedrock.conf [pmm]/drop-privileges-command is set to "drop_privileges_command" but that envvar is empty/unset.\nEither populate envvar or change bedrock.conf [pmm]/drop-privileges-command to run `"cmd"`")
 	} else {
-		output = output " export unprivileged_user=\"sudo -u " unprivileged_user "\";"
+		output = output " export drop_privileges_command=\"" drop_privileges_command "\";"
 	}
 
 	output = output " export flags=\""
@@ -836,8 +843,8 @@ function show_cmd(cmd, env,
 	if (env ~ /export flags=""/) {
 		gsub(/ \$\{flags\}/,"", show)
 	}
-	if (env ~ /export unprivileged_user=""/) {
-		gsub(/\$\{unprivileged_user\} /,"", show)
+	if (env ~ /export drop_privileges_command=""/) {
+		gsub(/\$\{drop_privileges_command\} /,"", show)
 	}
 	# Escape everything except shell variables to ensure ${stratum} et al
 	# are expanded.

diff --git a/src/slash-bedrock/share/pmm/package_managers/paru b/src/slash-bedrock/share/pmm/package_managers/paru
@@ -15,7 +15,7 @@
 # to force a package to be explicitly installed by installing it would fail if
 # it is already installed as a dependency.
 #
-# paru refuses to run as root.  ${unprivileged_user} wrapping is required for
+# paru refuses to run as root.  ${drop_privileges_command} wrapping is required for
 # all calls.
 #
 # paru effectively supersedes pacman.  If both are in consideration for a given
@@ -55,21 +55,21 @@ user_interfaces["paru", "update-file-database"]     = "pmm -F/--files -y/--refre
 user_interfaces["paru", "upgrade-packages-limited"] = "" # no partial upgrade concept
 user_interfaces["paru", "upgrade-packages-full"]    = "pmm -S/--sync -u/--sysupgrade"
 
-implementations["paru", "install-packages"]         = "${unprivileged_user} strat -r ${stratum} paru ${flags} -S --asexplicit ${items}"
-implementations["paru", "reinstall-packages"]       = "${unprivileged_user} strat -r ${stratum} paru ${flags} -S ${items}"
-implementations["paru", "remove-packages-limited"]  = "${unprivileged_user} strat -r ${stratum} paru ${flags} -R ${items}"
-implementations["paru", "remove-packages-full"]     = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Rn ${items}"
-implementations["paru", "verify-packages"]          = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Qk ${items}"
-implementations["paru", "verify-all-packages"]      = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Qk"
-implementations["paru", "mark-packages-explicit"]   = "${unprivileged_user} strat -r ${stratum} paru ${flags} -D --asexplicit ${items}"
-implementations["paru", "mark-packages-implicit"]   = "${unprivileged_user} strat -r ${stratum} paru ${flags} -D --asdeps ${items}"
-implementations["paru", "show-package-information"] = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Si ${items}"
-implementations["paru", "clear-cache"]              = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Sc ${items}"
-implementations["paru", "remove-orphans"]           = "${unprivileged_user} strat -r ${stratum} paru ${flags} --clean"
-implementations["paru", "update-package-database"]  = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Sy"
-implementations["paru", "update-file-database"]     = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Fy"
-implementations["paru", "upgrade-packages-limited"] = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Su"
-implementations["paru", "upgrade-packages-full"]    = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Su"
+implementations["paru", "install-packages"]         = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -S --asexplicit ${items}"
+implementations["paru", "reinstall-packages"]       = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -S ${items}"
+implementations["paru", "remove-packages-limited"]  = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -R ${items}"
+implementations["paru", "remove-packages-full"]     = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Rn ${items}"
+implementations["paru", "verify-packages"]          = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Qk ${items}"
+implementations["paru", "verify-all-packages"]      = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Qk"
+implementations["paru", "mark-packages-explicit"]   = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -D --asexplicit ${items}"
+implementations["paru", "mark-packages-implicit"]   = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -D --asdeps ${items}"
+implementations["paru", "show-package-information"] = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Si ${items}"
+implementations["paru", "clear-cache"]              = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Sc ${items}"
+implementations["paru", "remove-orphans"]           = "${drop_privileges_command} strat -r ${stratum} paru ${flags} --clean"
+implementations["paru", "update-package-database"]  = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Sy"
+implementations["paru", "update-file-database"]     = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Fy"
+implementations["paru", "upgrade-packages-limited"] = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Su"
+implementations["paru", "upgrade-packages-full"]    = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Su"
 
 #
 # Combine operations.
@@ -96,21 +96,21 @@ user_interfaces["paru", "update-package-database,update-file-database,upgrade-pa
 
 implementations["paru", "clear-cache,remove-orphans"]                                                             = ""
 implementations["paru", "mark-packages-implicit,remove-orphans"]                                                  = ""
-implementations["paru", "remove-packages-limited,remove-orphans"]                                                 = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Rs ${items}"
-implementations["paru", "remove-packages-full,remove-orphans"]                                                    = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Rs ${items}"
-implementations["paru", "update-package-database,update-file-database"]                                           = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Sy"
-implementations["paru", "update-package-database,upgrade-packages-partial"]                                       = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Syu"
-implementations["paru", "update-package-database,upgrade-packages-full"]                                          = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Syu"
-implementations["paru", "update-package-database,update-file-database,upgrade-packages-partial"]                  = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Syu"
-implementations["paru", "update-package-database,update-file-database,upgrade-packages-full"]                     = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Syu"
-implementations["paru", "update-package-database,install-packages"]                                               = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Sy --asexplicit ${items}"
-implementations["paru", "update-package-database,update-file-database,install-packages"]                          = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Sy --asexplicit ${items}"
-implementations["paru", "upgrade-packages-limited,install-packages"]                                              = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Su --asexplicit ${items}"
+implementations["paru", "remove-packages-limited,remove-orphans"]                                                 = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Rs ${items}"
+implementations["paru", "remove-packages-full,remove-orphans"]                                                    = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Rs ${items}"
+implementations["paru", "update-package-database,update-file-database"]                                           = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Sy"
+implementations["paru", "update-package-database,upgrade-packages-partial"]                                       = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Syu"
+implementations["paru", "update-package-database,upgrade-packages-full"]                                          = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Syu"
+implementations["paru", "update-package-database,update-file-database,upgrade-packages-partial"]                  = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Syu"
+implementations["paru", "update-package-database,update-file-database,upgrade-packages-full"]                     = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Syu"
+implementations["paru", "update-package-database,install-packages"]                                               = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Sy --asexplicit ${items}"
+implementations["paru", "update-package-database,update-file-database,install-packages"]                          = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Sy --asexplicit ${items}"
+implementations["paru", "upgrade-packages-limited,install-packages"]                                              = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Su --asexplicit ${items}"
 implementations["paru", "upgrade-packages-limited,remove-orphans"]                                                = ""
-implementations["paru", "upgrade-packages-full,install-packages"]                                                 = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Su --asexplicit ${items}"
+implementations["paru", "upgrade-packages-full,install-packages"]                                                 = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Su --asexplicit ${items}"
 implementations["paru", "upgrade-packages-full,remove-orphans"]                                                   = ""
-implementations["paru", "update-package-database,upgrade-packages-partial,install-packages"]                      = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Syu --asexplicit ${items}"
-implementations["paru", "update-package-database,upgrade-packages-full,install-packages"]                         = "${unprivileged_user} strat -r ${stratum} paru ${flags} -Syu --asexplicit ${items}"
+implementations["paru", "update-package-database,upgrade-packages-partial,install-packages"]                      = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Syu --asexplicit ${items}"
+implementations["paru", "update-package-database,upgrade-packages-full,install-packages"]                         = "${drop_privileges_command} strat -r ${stratum} paru ${flags} -Syu --asexplicit ${items}"
 implementations["paru", "update-package-database,update-file-database,upgrade-packages-partial,install-packages"] = ""
 implementations["paru", "update-package-database,update-file-database,upgrade-packages-full,install-packages"]    = ""
 
@@ -127,15 +127,15 @@ user_interfaces["paru", "search-for-package-by-all"]    = "pmm -S/--sync -s/--se
 user_interfaces["paru", "which-package-owns-file"]      = "pmm -Q/--query -o/--owns <file>"
 user_interfaces["paru", "which-packages-provide-file"]  = "pmm -F/--files <file>"
 
-implementations["paru", "list-installed-package-files"] = "${unprivileged_user} strat -r ${stratum} paru -Ql ${items} | cut -d' ' -f2-"
-implementations["paru", "list-installed-explicit"]      = "${unprivileged_user} strat -r ${stratum} paru -Qe | cut -d' ' -f1"
-implementations["paru", "list-installed-implicit"]      = "${unprivileged_user} strat -r ${stratum} paru -Qd | cut -d' ' -f1"
-implementations["paru", "list-installed-packages"]      = "${unprivileged_user} strat -r ${stratum} paru -Q | cut -d' ' -f1"
-implementations["paru", "list-available-packages"]      = "${unprivileged_user} strat -r ${stratum} paru -Sl | cut -d' ' -f2"
-implementations["paru", "search-for-package-by-name"]   = "${unprivileged_user} strat -r ${stratum} paru -Sl | cut -d' ' -f2 | grep ${items}"
-implementations["paru", "search-for-package-by-all"]    = "${unprivileged_user} strat -r ${stratum} paru -Ss ${items} | awk -F'[ /]' '/^[^ ]/{print$2}'"
-implementations["paru", "which-package-owns-file"]      = "${unprivileged_user} strat -r ${stratum} paru -Qo ${items} | awk '{print$(NF-1)}'"
-implementations["paru", "which-packages-provide-file"]  = "${unprivileged_user} strat -r ${stratum} paru -F ${items} |\
+implementations["paru", "list-installed-package-files"] = "${drop_privileges_command} strat -r ${stratum} paru -Ql ${items} | cut -d' ' -f2-"
+implementations["paru", "list-installed-explicit"]      = "${drop_privileges_command} strat -r ${stratum} paru -Qe | cut -d' ' -f1"
+implementations["paru", "list-installed-implicit"]      = "${drop_privileges_command} strat -r ${stratum} paru -Qd | cut -d' ' -f1"
+implementations["paru", "list-installed-packages"]      = "${drop_privileges_command} strat -r ${stratum} paru -Q | cut -d' ' -f1"
+implementations["paru", "list-available-packages"]      = "${drop_privileges_command} strat -r ${stratum} paru -Sl | cut -d' ' -f2"
+implementations["paru", "search-for-package-by-name"]   = "${drop_privileges_command} strat -r ${stratum} paru -Sl | cut -d' ' -f2 | grep ${items}"
+implementations["paru", "search-for-package-by-all"]    = "${drop_privileges_command} strat -r ${stratum} paru -Ss ${items} | awk -F'[ /]' '/^[^ ]/{print$2}'"
+implementations["paru", "which-package-owns-file"]      = "${drop_privileges_command} strat -r ${stratum} paru -Qo ${items} | awk '{print$(NF-1)}'"
+implementations["paru", "which-packages-provide-file"]  = "${drop_privileges_command} strat -r ${stratum} paru -F ${items} |\
 	awk '/^[^ ]/ {\
 		split($1, a, \"/\");\
 	} /^[ ]/ {\
@@ -145,11 +145,11 @@ implementations["paru", "which-packages-provide-file"]  = "${unprivileged_user}
 #
 # Internal pmm operations.
 #
-implementations["paru", "is-package-installed"]               = "${unprivileged_user} strat -r ${stratum} paru -Q ${items} >/dev/null 2>&1"
-implementations["paru", "is-package-available"]               = "${unprivileged_user} strat -r ${stratum} paru -Si ${items} >/dev/null 2>&1"
+implementations["paru", "is-package-installed"]               = "${drop_privileges_command} strat -r ${stratum} paru -Q ${items} >/dev/null 2>&1"
+implementations["paru", "is-package-available"]               = "${drop_privileges_command} strat -r ${stratum} paru -Si ${items} >/dev/null 2>&1"
 implementations["paru", "is-file-db-available"]               = "true"
 implementations["paru", "print-file-db-install-instructions"] = ""
-implementations["paru", "print-package-version"]              = "${unprivileged_user} strat -r ${stratum} paru -Si ${items} |\
+implementations["paru", "print-package-version"]              = "${drop_privileges_command} strat -r ${stratum} paru -Si ${items} |\
 	awk '\
 		$1 == \"Version\" {\
 			sub(/[0-9]*:/, \"\", $3);\
@@ -158,7 +158,7 @@ implementations["paru", "print-package-version"]              = "${unprivileged_
 			sub(/[.]$/, \"\", $3);\
 			print $3\
 		}'"
-implementations["paru", "cache-package-db"]                   = "${unprivileged_user} strat -r ${stratum} paru -Sl |\
+implementations["paru", "cache-package-db"]                   = "${drop_privileges_command} strat -r ${stratum} paru -Sl |\
 	awk '$3 == \"unknown-version\" {\
 		print $2\"\t0\"\
 		next\
@@ -169,4 +169,4 @@ implementations["paru", "cache-package-db"]                   = "${unprivileged_
 		sub(/[^0-9.].*/, \"\", $3);\
 		sub(/[.]$/, \"\", $3);\
 		print $2\"\t\"$3\
-	}'"
+	}'"