Hardening yaourt(8)

This is specific to Arch Linux with yaourt.

Run the following commands as root:

groupadd -r packages
useradd -d /var/empty -g packages -lMNr pkgbuild
usermod -aG packages YOUR_USER
passwd pkgbuild ## Select a unique password for better security
echo '%packages ALL=(pkgbuild) NOPASSWD: /usr/bin/yaourt' >> /etc/sudoers
echo '%packages ALL=(pkgbuild) NOPASSWD: /usr/bin/rm' >> /etc/sudoers
echo '%packages ALL=(root) /usr/bin/pacman' >> /etc/sudoers
! test -e /usr/local/bin/yaourt
touch /usr/local/bin/yaourt
chown root:packages /usr/local/bin/yaourt
chmod 750 /usr/local/bin/yaourt

Open /usr/local/bin/yaourt with your text editor and write

#!/bin/sh -e
cd /var/empty
touch /tmp/.pkgbuild-lock
exec 10<>/tmp/.pkgbuild-lock
flock -s 10
(exec 10&<-; exec sudo -Hu pkgbuild /bin/usr/yaourt "$@@")
if flock -nx 10; then
    if test -d /tmp/yaourt-tmp-pkgbuild; then
        sudo -u pkgbuild rm -rf /tmp/yaourt-tmp-pkgbuild
    fi
fi
exec flock -u 10

You can further harden your setup by running

userdel pkgbuild
useradd -d /var/empty -G packages -lMUr pkgbuild
passwd pkgbuild
chown root:pkgbuild /usr/bin/yaourt
chmod 654 /usr/bin/yaourt
mkdir -p /etc/pacman.d/hooks
cat >|/etc/pacman.d/hooks/hardened-yaourt.hook <<EOF
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = yaourt

[Action]
Depends = coreutils
When = PostTransaction
Exec = sh -c '/bin/chown root:pkgbuild /bin/yaourt && /bin/chmod 654 /bin/yaourt'
EOF