Note: I’m under the impression that Manjaro are the people behind Pamac, so I’m posting here.
Pamac (CLI) recently has switched to using PAM authentication (if I understand correctly) for doing super-user related stuff. It prompts the user to enter his password if you don’t run pamac with sudo (which from what I remember others in the forum saying: you shouldn’t run pamac with sudo, it will prompt you afterwards)
I just want to say that this password prompt can be somewhat very annoying because it does not tolerate mistakes. If you typed your password wrong, it immediately quits. This is particularly annoying because it only prompts for a password after it does all the heavy processing. In particular with AUR package installation, it only prompts for a password after it has built the package, which can take a long time. If at that time I entered the password wrong, then I’ll have to repeat the process all over again.
It would be a lot better for user experience if pamac would
Indeed, because doing so would mess up the permissions on the local package database.
In my experience, it prompts for the password very early on. If it prompts for the password (again) at a later stage, then it is because the timeout has already expired, andi t needs elevated privileges for installing the built package in the filesystem tree.
I see. I guess I assumed this change is recent because in the past the prompt looked different, and now it looks like what systemd uses to authenticate systemctl stuff.
Today I have tried to install an AUR package (walc). It prompted me for a password twice (if I remember correctly), the first time after confirming, and after building the package in order to “commit” the changes. I incorrectly wrote my password the second time, so entire build is thrown out, and I had to do it all over again.
It might be that it asked me for a password the second time due to a timeout, I don’t know. But the point is that, in my opinion, it should tolerate a few incorrect password entries
I highly disagree. Everything decent system I’ve seen that requires authentication is able to tolerate a few incorrect passwords attempts without compromising security. This includes “sudo” among other things. You can add a timeouts of 1-3 seconds between attempts in order to prevent bruteforce attacks, and allowing 3 attempts would make things a lot more convenient for the typical human user
This is another thing I didn’t quite understand, but never really asked. Why is this an issue for pamac, but not any other package manager tool like pacman, apt, etc.?
You are still misinterpreting things. If pamac builds a package and you then enter the wrong password, then the built package will not be deleted. It’ll still be in the build directory, and the only thing pamac does upon you entering the wrong password is bail out from the installing phase.
In other words, you can still manually install the built package afterwards.
Well, if I re-run the same command, then it restarts the whole build process without it detecting the previous build. Perhaps this is the real issue here?
That I now need to use pacman, not pamac, to install something that I initially used pamac for
The path of the zst file (this is handled by pamac, not myself)
It would make intuitive sense to re-run the same command if it failed the first time. But re-running the same command would not be necessary 99% of the time if it prompted me for a password for a second or third time after entering it incorrectly in the first place.
I think i made my point clear, this is a small enhancement request to make things easier and more intuitive for the user.
You have to change the way you think. This is GNU/Linux, not Microsoft Windows.
UNIX systems are logical, and they are conceived as toolboxes, from which you should pick the appropriate tool for the job. And every tool has a man page that tells you how to use it.
Normally — unless you’ve changed the defaults in /etc/pamac.conf — the built package will reside in /var/tmp, or possibly in a subdirectory thereof.
Two things…
pamac is not a shell script that invokes sudo. It hooks into polkit for elevating privileges.
Even more importantly, the point of having a password is that you would type it correctly. The consequences of user error are not considered within the scope of UNIX.
I have noticed this only when I have left it unattended; which one should probably never do, no matter how urgent a coffee seems.
When that happens, it can timeout and abort the process, however, if I’m there to immediately enter the password when requested, it continues as expected. At least, this has been my experience.
Sure, but pamac is meant to be a tool for a user to use interactively by the user. It is meant to be a frontend to libalpm according to the man page. It is the main package manager used by Manjaro. It is supposed to be easier and more straightforward to use for the average user than Pacman. Most manjaro tutorials ask the user to use pamac, not pacman.
Now if I were to use pacman, I would use sudo. And if I wrote the password wrong by mistake, then sudo would prompt me again another 2 times. Isn’t that logical? It is how I expect a UNIX system to behave when I try to run something with elevated privileges.
Also, I have been using Manjaro for more than 2 years, and Linux for much longer than that. I am aware that this is not Microsoft Windows, after all this is a command line tool
Perhaps the solution here is to change pam config settings to have the user be prompted at least 3 times for the password, similar to how sudo works. But I’m not sure if pam config allows this.
I think I understand the issue here now. The authentication is handled directly by PAM, not by pamac. And PAM is not designed to tolerate error because it’s a subsystem designed to run system-wide. So that’s why pamac doesn’t tolerate user error.
But as an interactive user-friendly command line app, in my opinion, it is within the scope of pamac to tolerate user mistakes when authenticating.
Will do, thanks!
In my case, it was not unattended. The build process simply took a long time.
However, what’s the issue with leaving it unattended? What would it matter?
Well, it’s a matter of perspective. If you run a command with sudo, then that’s a simple process, and so the system will prompt you for a password. When you’re building a package, then there’s a different philosophy behind it, because it’s a more involved thing than simply running a command.
pamac has to fetch the PKGBUILD and then execute it, and the PKGBUILD will download the sources from the links in the file, and will then build the package, and upon completion of the build, it will install the package into the filesystem. It’s not meant to be left unattended.
Still, pamac does allow for a certain grace time — as sudo does, but pamac does not usesudo.
Case in point: on my system here, I have set up sudo to require the password of the target account — in most cases, this will be the root account, and thus the root password — whereas pamac will ask me for my own password instead. This is because pamac uses polkit for authentication, not pam directly.
I suppose it would depend upon in which stage of the build process it was left unattended. If credentials were needed to be entered (again) in that period, a timeout might occur.
As I might typically build two or three packages in succession (from AUR), it’s difficult to time a coffee break perfectly. I would usually restart the failed build rather than attempt to recover it.
Great points about leaving installs unattended. Personally I agree that it’s better to keep it attended, but I disagree on the criticality of it, but that’s a separate topic.
True. It makes sense that it may need to prompt multiple times due to timeouts and from having to do several steps. I must admit, I am not very familiar with the intricacies of the security subsystem of Linux like pam and polkit. However, I still think the prompt should tolerate user error when authenticating, whether its with your user’s password or the root password.
By the way, but I tried doing this, but I couldn’t figure out how to sign in. I tried both my github and gitlab accounts but they didn’t work. I also couldn’t find a “sign up” page. I hope this isn’t a stupid question, but what am I doing wrong?
If you already have a GitLab account, then it should normally work. But this is a question better directed at @Yochanan ¹ — he’s a Manjaro Team member, while I am not.