Make tool request elevated privileges on-demand

Add safety check before rm -rf call
Move log to user owned directory
7 changed files with 186 additions and 60 deletions
--- a/README.md
+++ b/README.md
@ -27,22 +27,22 @@ sudo mv declpac /usr/local/bin/
 - pacman
 - makepkg (for AUR support)
 - git (for AUR support)
- Root privileges
+- sudo/doas (root privileges)

 ## Usage

 ```bash
 # Single state file
-sudo declpac --state packages.txt
+declpac --state packages.txt

 # Multiple state files
-sudo declpac --state base.txt --state apps.txt
+declpac --state base.txt --state apps.txt

 # From stdin
-cat packages.txt | sudo declpac
+cat packages.txt | declpac

 # Preview changes without applying
-sudo declpac --dry-run --state packages.txt
+declpac --dry-run --state packages.txt
 ```

 ### State File Format
@ -89,17 +89,11 @@ If the pacman database is older than 24 hours, it is automatically refreshed.

 ### Logging

-Operations are logged to `/var/log/declpac.log`.
+Operation are logged to `$XDG_STATE_HOME/declpac.log`
+(or `~/.local/state/declpac.log` on fallback)

 ## Troubleshooting

-### Permission denied
-
-Use sudo:
-```bash
-sudo declpac --state packages.txt
-```
-
 ### Package not found

 Check if the package exists:
--- a/cmd/declpac/main.go
+++ b/cmd/declpac/main.go
@ -8,6 +8,7 @@ import (

 	"github.com/urfave/cli/v3"

+	"github.com/Riyyi/declpac/pkg/auth"
 	"github.com/Riyyi/declpac/pkg/input"
 	"github.com/Riyyi/declpac/pkg/log"
 	"github.com/Riyyi/declpac/pkg/output"
@ -97,6 +98,8 @@ func run(cfg *Config) error {
 		return nil
 	}

+	auth.Start()
+
 	if err := log.OpenLog(); err != nil {
 		fmt.Fprintf(os.Stderr, "error: %v\n", err)
 		return err
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -0,0 +1,104 @@
+package auth
+
+import (
+	"fmt"
+	"os/exec"
+	"regexp"
+	"strconv"
+	"time"
+
+	"github.com/Riyyi/declpac/pkg/log"
+)
+
+var tool string
+var timeout time.Duration = 5 * time.Minute
+var refreshCommand []string = []string{"-n", "true"}
+
+// -----------------------------------------
+// public
+
+func Command(name string, args ...string) *exec.Cmd {
+	if tool == "" {
+		return log.Command(name, args...)
+	}
+	args = append([]string{name}, args...)
+	return log.Command(tool, args...)
+}
+
+func Run() {
+	exec.Command(tool, refreshCommand...).Run()
+}
+
+func Start() error {
+	err := detect()
+	if err != nil {
+		return err
+	}
+
+	// Automatically refresh privilege elevation to prevent user prompts
+	go func() {
+		for {
+			Run()
+			time.Sleep(timeout)
+		}
+	}()
+
+	return nil
+}
+
+// -----------------------------------------
+// private
+
+func detect() error {
+	tool = getTool()
+	if tool == "" {
+		return fmt.Errorf("no privilege elevation tool detected in PATH")
+	}
+
+	parseTimeout()
+	// We have to be a little faster than the actual timeout
+	timeout -= 30 * time.Second
+
+	return nil
+}
+
+func execLookPath(name string) string {
+	path, err := exec.LookPath(name)
+	if err != nil {
+		return ""
+	}
+	return path
+}
+
+func getTool() string {
+	sudo := execLookPath("sudo")
+	doas := execLookPath("doas")
+
+	if sudo != "" {
+		return "sudo"
+	}
+	if doas != "" {
+		return "doas"
+	}
+
+	return ""
+}
+
+func parseTimeout() {
+	switch tool {
+	case "sudo":
+		out, err := exec.Command("sudo", "sudo", "-V").CombinedOutput()
+		if err != nil {
+			return
+		}
+		re := regexp.MustCompile(`Authentication timestamp timeout: (\d+)\..*`)
+		matches := re.FindStringSubmatch(string(out))
+		if len(matches) == 2 {
+			if minutes, err := strconv.Atoi(matches[1]); err == nil {
+				timeout = time.Duration(minutes) * time.Minute
+			}
+		}
+	case "doas":
+		exec.Command("doas", "true").Run()
+	}
+}
--- a/pkg/input/input.go
+++ b/pkg/input/input.go
@ -6,6 +6,8 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/Riyyi/declpac/pkg/lib"
 )

 var ErrEmptyList = errors.New("package list is empty")
@ -28,7 +30,7 @@ func ReadPackages(stateFiles []string) (map[string]bool, error) {
 	packages := make(map[string]bool)

 	for _, file := range stateFiles {
-		expanded := expandPath(file)
+		expanded := lib.ExpandPath(file)
 		if err := readStateFile(expanded, packages); err != nil {
 			return nil, err
 		}
@ -51,27 +53,17 @@ func ReadPackages(stateFiles []string) (map[string]bool, error) {
 // -----------------------------------------
 // private

-func expandPath(path string) string {
-	if strings.HasPrefix(path, "~/") {
-		home, err := os.UserHomeDir()
-		if err != nil {
-			return path
-		}
-		return filepath.Join(home, path[2:])
-	}
-	return path
-}
-
 func fileExists(path string) bool {
 	_, err := os.Stat(path)
 	return err == nil
 }

 func getImplicitStateFile() string {
-	cfgDir, _ := os.UserConfigDir()
+	cfgDir := os.Getenv("XDG_CONFIG_HOME")
 	if cfgDir == "" {
 		cfgDir = "~/.config"
 	}
+	cfgDir = lib.ExpandPath(cfgDir)
 	return filepath.Join(cfgDir, "declpac")
 }

--- a/pkg/lib/lib.go
+++ b/pkg/lib/lib.go
@ -0,0 +1,21 @@
+package lib
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// -----------------------------------------
+// public
+
+func ExpandPath(path string) string {
+	if strings.HasPrefix(path, "~/") {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return path
+		}
+		return filepath.Join(home, path[2:])
+	}
+	return path
+}
--- a/pkg/log/log.go
+++ b/pkg/log/log.go
@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strings"
 	"time"
+
+	"github.com/Riyyi/declpac/pkg/lib"
 )

 var logFile *os.File
@ -29,7 +31,7 @@ func Command(name string, args ...string) *exec.Cmd {
 	return exec.Command(name, args...)
 }

-func Debug(format string, args ...interface{}) {
+func Debug(format string, args ...any) {
 	if !Verbose {
 		return
 	}
@ -41,11 +43,18 @@ func GetLogWriter() io.Writer {
 }

 func OpenLog() error {
-	logPath := filepath.Join("/var/log", "declpac.log")
+	stateDir := os.Getenv("XDG_STATE_HOME")
+	if stateDir == "" {
+		stateDir = "~/.local/state"
+	}
+	stateDir = lib.ExpandPath(stateDir)
+
+	logPath := filepath.Join(stateDir, "declpac.log")
 	f, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 	if err != nil {
 		return err
 	}
+
 	logFile = f
 	writeTimestamp()
 	return nil
--- a/pkg/pacman/sync/sync.go
+++ b/pkg/pacman/sync/sync.go
@ -4,18 +4,16 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/user"
 	"strings"
-	"sync"
 	"time"

+	"github.com/Riyyi/declpac/pkg/auth"
 	"github.com/Riyyi/declpac/pkg/fetch"
 	"github.com/Riyyi/declpac/pkg/fetch/aur"
 	"github.com/Riyyi/declpac/pkg/log"
 )

-var sudoUser string
-var sudoUserOnce sync.Once
-
 type Result struct {
 	Installed int
 	Removed   int
@ -37,19 +35,18 @@ func InstallAUR(f *fetch.Fetcher, pkgName string, packageBase string, asDeps boo
 		return err
 	}

-	sudoUser := getSudoUser()
-	tmpDir := "/tmp/declpac/" + pkgName
-	if err := createTempDir(sudoUser, tmpDir); err != nil {
+	tmpDir := getTempDirName() + "/" + pkgName
+	if err := createTempDir(tmpDir); err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)

-	if err := cloneRepo(sudoUser, packageBase, tmpDir, logWriter); err != nil {
+	if err := cloneRepo(packageBase, tmpDir, logWriter); err != nil {
 		return err
 	}
 	log.Debug("InstallAUR: cloned (%.2fs)", time.Since(start).Seconds())

-	if err := buildPackage(sudoUser, tmpDir, asDeps, logWriter); err != nil {
+	if err := buildPackage(tmpDir, asDeps, logWriter); err != nil {
 		return err
 	}
 	log.Debug("InstallAUR: built (%.2fs)", time.Since(start).Seconds())
@ -80,7 +77,7 @@ func MarkAs(packages []string, flag string, logWriter io.Writer) error {
 	}

 	args := append([]string{"-D", "--" + flagName}, packages...)
-	cmd := log.Command("pacman", args...)
+	cmd := auth.Command("pacman", args...)
 	cmd.Stdout = logWriter
 	cmd.Stderr = logWriter
 	err := cmd.Run()
@ -100,7 +97,7 @@ func RefreshDB(logWriter io.Writer) error {
 		logWriter = os.Stderr
 	}

-	cmd := log.Command("pacman", "-Syy")
+	cmd := auth.Command("pacman", "-Syy")
 	cmd.Stdout = logWriter
 	cmd.Stderr = logWriter
 	if err := cmd.Run(); err != nil {
@ -127,7 +124,7 @@ func RemoveOrphans(orphans []string, logWriter io.Writer) (int, error) {
 	args := make([]string, 0, 3+len(orphans))
 	args = append(args, "pacman", "-Rns", "--noconfirm")
 	args = append(args, orphans...)
-	removeCmd := log.Command(args[0], args[1:]...)
+	removeCmd := auth.Command(args[0], args[1:]...)
 	removeCmd.Stdout = logWriter
 	removeCmd.Stderr = logWriter
 	err := removeCmd.Run()
@ -150,7 +147,7 @@ func SyncPackages(packages []string, logWriter io.Writer) error {
 	}

 	args := append([]string{"-S", "--needed", "--noconfirm"}, packages...)
-	cmd := log.Command("pacman", args...)
+	cmd := auth.Command("pacman", args...)
 	cmd.Stdout = logWriter
 	cmd.Stderr = logWriter
 	err := cmd.Run()
@ -165,12 +162,12 @@ func SyncPackages(packages []string, logWriter io.Writer) error {
 // -----------------------------------------
 // private

-func buildPackage(sudoUser string, tmpDir string, asDeps bool, logWriter io.Writer) error {
-	makepkgArgs := []string{"makepkg", "-s", "--noconfirm"}
+func buildPackage(tmpDir string, asDeps bool, logWriter io.Writer) error {
+	makepkgArgs := []string{"-D", tmpDir, "-s", "--noconfirm"}
 	if asDeps {
 		makepkgArgs = append(makepkgArgs, "--asdeps")
 	}
-	makepkgCmd := log.Command("su", "-", sudoUser, "-c", "cd "+tmpDir+" && "+strings.Join(makepkgArgs, " "))
+	makepkgCmd := log.Command("makepkg", makepkgArgs...)
 	makepkgCmd.Stdout = logWriter
 	makepkgCmd.Stderr = logWriter
 	if err := makepkgCmd.Run(); err != nil {
@ -179,9 +176,9 @@ func buildPackage(sudoUser string, tmpDir string, asDeps bool, logWriter io.Writ
 	return nil
 }

-func cloneRepo(sudoUser string, packageBase string, tmpDir string, logWriter io.Writer) error {
+func cloneRepo(packageBase string, tmpDir string, logWriter io.Writer) error {
 	cloneURL := "https://aur.archlinux.org/" + packageBase + ".git"
-	cloneCmd := log.Command("su", "-", sudoUser, "-c", "git clone "+cloneURL+" "+tmpDir)
+	cloneCmd := log.Command("git", "clone", cloneURL, tmpDir)
 	cloneCmd.Stdout = logWriter
 	cloneCmd.Stderr = logWriter
 	if err := cloneCmd.Run(); err != nil {
@ -190,11 +187,21 @@ func cloneRepo(sudoUser string, packageBase string, tmpDir string, logWriter io.
 	return nil
 }

-func createTempDir(sudoUser string, tmpDir string) error {
-	mkdirCmd := log.Command("su", "-", sudoUser, "-c", "rm -rf "+tmpDir+" && mkdir -p "+tmpDir)
+func createTempDir(tmpDir string) error {
+	if tmpDir == "" || tmpDir == "/" || !strings.HasPrefix(tmpDir, "/tmp") {
+		return fmt.Errorf("safety check: prevented malformed rm -rf call")
+	}
+
+	rmdirCmd := log.Command("rm", "-rf", tmpDir)
+	if err := rmdirCmd.Run(); err != nil {
+		return fmt.Errorf("failed to remove temp directory: %w", err)
+	}
+
+	mkdirCmd := log.Command("mkdir", "-p", tmpDir)
 	if err := mkdirCmd.Run(); err != nil {
 		return fmt.Errorf("failed to create temp directory: %w", err)
 	}
+
 	return nil
 }

@ -227,21 +234,17 @@ func getAURInfo(f *fetch.Fetcher, pkgName string, packageBase string) *aur.Packa
 	return &info
 }

-func getSudoUser() string {
-	sudoUserOnce.Do(func() {
-		sudoUser = os.Getenv("SUDO_USER")
-		if sudoUser == "" {
-			sudoUser = os.Getenv("USER")
-			if sudoUser == "" {
-				sudoUser = "root"
-			}
+func getTempDirName() string {
+	user, err := user.Current()
+	if err != nil {
+		return "/tmp/declpac"
 	}
-	})
-	return sudoUser
+
+	return "/tmp/declpac-" + user.Username
 }

 func installBuiltPackage(pkgFile string, logWriter io.Writer) error {
-	installCmd := log.Command("pacman", "-U", "--noconfirm", pkgFile)
+	installCmd := auth.Command("pacman", "-U", "--noconfirm", pkgFile)
 	installCmd.Stdout = logWriter
 	installCmd.Stderr = logWriter
 	if err := installCmd.Run(); err != nil {
Author	SHA1	Message	Date
Riyyi	b371c74e9a	Make tool request elevated privileges on-demand	3 weeks ago
Riyyi	76b83437ac	Add safety check before rm -rf call	3 weeks ago
AI Bot	b04869f0e1	Move log to user owned directory	3 weeks ago