This document outlines the security architecture and troubleshooting steps for the Millennium Helper utility suite.
For general usage instructions, see the main README.md. Full docs index: README.md. For MCP server setup details, see mcp.md. Licensing: licensing.md.
To allow background user-level timers to run updates that modify system directories, the updater scripts must run with elevated privileges.
This setup achieves this securely:
- Sudoers Autoconfiguration (Linux): During
sudo ./install.sh, the installer detects the original invoking user (SUDO_USER) and automatically configures a secure drop-in file at/etc/sudoers.d/millennium-helpers. - Write-Protected Scripts: Helper scripts are copied into
/usr/local/bin/owned byroot:rootwith755permissions, meaning normal users cannot edit or tamper with them. - Task Scheduler (Windows): Scheduled tasks are registered with elevated credentials using native Windows Task Scheduler security boundaries.
- Channel allow-list: Scheduler enable paths only accept
stable|beta|main. Poisonedupdate_channelvalues in config are ignored on load and rejected before embedding into cron/systemd/Task Scheduler command lines. - Scheduler-only hooks:
pre-update/post-updaterequireMILLENNIUM_SCHEDULER=1(set by the unit/cron). Manual invocation is refused. - Release checksums: Non-
mainhelper/client downloads hard-fail if the.sha256sidecar is missing or mismatches. Tip-of-main installs require--allow-unsigned-main/-AllowUnsignedMain. Same-origin GitHub sidecars are TOFU, not independent attestation. - Local archives:
millennium upgrade --filerequires--sha256or explicit--insecure-skip-verify. - Doctor: Syncing helper scripts over root-owned install paths requires
millennium diag doctor --yesafter a verified release download. - Archive extract: Theme and Windows client zips reject path-traversal members (
../ absolute paths).
Arch packages ship %wheel NOPASSWD for the four privileged commands; that is intentional for multi-admin Wheel hosts—prefer the curl-installer user-specific sudoers drop-in on shared desktops if wheel membership is broad.
This is usually caused by outdated CEF cached files. Run the repair utility to fix local permissions and clear Steam's htmlcache:
# Linux
sudo millennium repair
# Windows
millennium repair- Check the timer status:
millennium schedule status
- Verify that passwordless sudo (Linux) or Scheduled Tasks (Windows) are configured correctly.
- If you want the updates to run even when you are logged out of your session on Linux, enable user lingering:
loginctl enable-linger $USER
Hooks, sandbox overrides, Desktop Mode install, and post-SteamOS-update recovery are covered in the Steam Deck & Flatpak Troubleshooting guide.
- Docs index: README.md
- Project: README.md · SECURITY.md · CONTRIBUTING.md
- Guides: mcp.md · steam_deck.md · uninstall_dryrun.md · licensing.md