aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar Ciaran McCreesh <ciaran.mccreesh@googlemail.com> 2007-03-14 17:03:49 +0000
committerAvatar Ciaran McCreesh <ciaran.mccreesh@googlemail.com> 2007-03-14 17:03:49 +0000
commit727edf7300e7d9e0a45064b210afc9c7d35af4d3 (patch)
treecccfaabcd05f8b2ce22f99764aee1794f561199c
parent402c186ce65b06a525ca6b586a5f11da2fef5faf (diff)
downloadpaludis-727edf7300e7d9e0a45064b210afc9c7d35af4d3.tar.gz
paludis-727edf7300e7d9e0a45064b210afc9c7d35af4d3.tar.xz
Better userpriv handling for config directories. Fixes: ticket:144
-rw-r--r--paludis/environments/paludis/paludis_config.cc61
-rwxr-xr-xpaludis/repositories/gentoo/ebuild/ebuild.bash2
2 files changed, 47 insertions, 16 deletions
diff --git a/paludis/environments/paludis/paludis_config.cc b/paludis/environments/paludis/paludis_config.cc
index 1bb2a4e..f133233 100644
--- a/paludis/environments/paludis/paludis_config.cc
+++ b/paludis/environments/paludis/paludis_config.cc
@@ -263,8 +263,16 @@ PaludisConfig::PaludisConfig(PaludisEnvironment * const e, const std::string & s
FSEntry local_config_dir(FSEntry(getenv_with_default("PALUDIS_HOME", getenv_or_error("HOME"))) /
(".paludis" + local_config_suffix)), old_config_dir(local_config_dir);
- if (! local_config_dir.exists())
+ try
+ {
+ if (! local_config_dir.exists())
+ local_config_dir = (FSEntry(SYSCONFDIR) / ("paludis" + local_config_suffix));
+ }
+ catch (const FSError &)
+ {
local_config_dir = (FSEntry(SYSCONFDIR) / ("paludis" + local_config_suffix));
+ }
+
if (! local_config_dir.exists())
throw PaludisConfigError("Can't find configuration directory (tried '"
+ stringify(old_config_dir) + "', '" + stringify(local_config_dir) + "')");
@@ -272,6 +280,19 @@ PaludisConfig::PaludisConfig(PaludisEnvironment * const e, const std::string & s
Log::get_instance()->message(ll_debug, lc_no_context, "PaludisConfig initial directory is '"
+ stringify(local_config_dir) + "'");
+ /* check that we can safely use userpriv */
+ {
+ Command cmd(Command("ls -ld '" + stringify(local_config_dir) + "'/* >/dev/null 2>/dev/null")
+ .with_uid_gid(reduced_uid(), reduced_gid()));
+ if (0 != run_command(cmd))
+ {
+ Log::get_instance()->message(ll_warning, lc_context, "Cannot access configuration directory '"
+ + stringify(local_config_dir) + "' using userpriv, so userpriv will be disabled");
+ _imp->reduced_uid.reset(new uid_t(getuid()));
+ _imp->reduced_gid.reset(new gid_t(getgid()));
+ }
+ }
+
if ((local_config_dir / "specpath").exists())
{
KeyValueConfigFile specpath(local_config_dir / "specpath");
@@ -1046,15 +1067,20 @@ PaludisConfig::reduced_uid() const
{
if (! _imp->reduced_uid)
{
- struct passwd * p(getpwnam(reduced_username().c_str()));
- if (! p)
- {
- Log::get_instance()->message(ll_warning, lc_no_context,
- "Couldn't determine uid for user '" + reduced_username() + "'");
+ if (0 != getuid())
_imp->reduced_uid.reset(new uid_t(getuid()));
- }
else
- _imp->reduced_uid.reset(new uid_t(p->pw_uid));
+ {
+ struct passwd * p(getpwnam(reduced_username().c_str()));
+ if (! p)
+ {
+ Log::get_instance()->message(ll_warning, lc_no_context,
+ "Couldn't determine uid for user '" + reduced_username() + "'");
+ _imp->reduced_uid.reset(new uid_t(getuid()));
+ }
+ else
+ _imp->reduced_uid.reset(new uid_t(p->pw_uid));
+ }
}
return *_imp->reduced_uid;
@@ -1065,15 +1091,20 @@ PaludisConfig::reduced_gid() const
{
if (! _imp->reduced_gid)
{
- struct passwd * p(getpwnam(reduced_username().c_str()));
- if (! p)
- {
- Log::get_instance()->message(ll_warning, lc_no_context,
- "Couldn't determine gid for user '" + reduced_username() + "'");
+ if (0 != getuid())
_imp->reduced_gid.reset(new gid_t(getgid()));
- }
else
- _imp->reduced_gid.reset(new gid_t(p->pw_gid));
+ {
+ struct passwd * p(getpwnam(reduced_username().c_str()));
+ if (! p)
+ {
+ Log::get_instance()->message(ll_warning, lc_no_context,
+ "Couldn't determine gid for user '" + reduced_username() + "'");
+ _imp->reduced_gid.reset(new gid_t(getgid()));
+ }
+ else
+ _imp->reduced_gid.reset(new gid_t(p->pw_gid));
+ }
}
return *_imp->reduced_gid;
diff --git a/paludis/repositories/gentoo/ebuild/ebuild.bash b/paludis/repositories/gentoo/ebuild/ebuild.bash
index 9a759a1..ac9737d 100755
--- a/paludis/repositories/gentoo/ebuild/ebuild.bash
+++ b/paludis/repositories/gentoo/ebuild/ebuild.bash
@@ -294,7 +294,7 @@ ebuild_main()
shift
if [[ ${#@} -ge 2 ]] ; then
- ebuild_section "Running ebuild phases $@..."
+ ebuild_section "Running ebuild phases $@ as $(id -un ):$(id -gn )..."
elif [[ ${1} != variable ]] && [[ ${1} != metadata ]] ; then
ebuild_section "Running ebuild phase $@..."
fi