1 |
Apply secure PORTAGE_WORKDIR_MODE permissions to PORTAGE_BUILDDIR, |
2 |
since the child directory ${D} and its children may have vulnerable |
3 |
permissions as reported in bug 692492. |
4 |
|
5 |
Bug: https://bugs.gentoo.org/692492 |
6 |
Signed-off-by: Zac Medico <zmedico@g.o> |
7 |
--- |
8 |
.../package/ebuild/prepare_build_dirs.py | 21 ++++++++++++------- |
9 |
1 file changed, 14 insertions(+), 7 deletions(-) |
10 |
|
11 |
diff --git a/lib/portage/package/ebuild/prepare_build_dirs.py b/lib/portage/package/ebuild/prepare_build_dirs.py |
12 |
index c325819d1..8349d306f 100644 |
13 |
--- a/lib/portage/package/ebuild/prepare_build_dirs.py |
14 |
+++ b/lib/portage/package/ebuild/prepare_build_dirs.py |
15 |
@@ -1,4 +1,4 @@ |
16 |
-# Copyright 2010-2018 Gentoo Foundation |
17 |
+# Copyright 2010-2020 Gentoo Authors |
18 |
# Distributed under the terms of the GNU General Public License v2 |
19 |
|
20 |
from __future__ import unicode_literals |
21 |
@@ -84,7 +84,7 @@ def prepare_build_dirs(myroot=None, settings=None, cleanup=False): |
22 |
except PortageException: |
23 |
if not os.path.isdir(mydir): |
24 |
raise |
25 |
- for dir_key in ("PORTAGE_BUILDDIR", "HOME", "PKG_LOGDIR", "T"): |
26 |
+ for dir_key in ("HOME", "PKG_LOGDIR", "T"): |
27 |
ensure_dirs(mysettings[dir_key], mode=0o755) |
28 |
apply_secpass_permissions(mysettings[dir_key], |
29 |
uid=portage_uid, gid=portage_gid) |
30 |
@@ -272,11 +272,18 @@ def _prepare_workdir(mysettings): |
31 |
writemsg(_("!!! Unable to parse PORTAGE_WORKDIR_MODE='%s', using %s.\n") % \ |
32 |
(mysettings["PORTAGE_WORKDIR_MODE"], oct(workdir_mode))) |
33 |
mysettings["PORTAGE_WORKDIR_MODE"] = oct(workdir_mode).replace('o', '') |
34 |
- try: |
35 |
- apply_secpass_permissions(mysettings["WORKDIR"], |
36 |
- uid=portage_uid, gid=portage_gid, mode=workdir_mode) |
37 |
- except FileNotFound: |
38 |
- pass # ebuild.sh will create it |
39 |
+ |
40 |
+ permissions = {'mode': workdir_mode} |
41 |
+ if portage.data.secpass >= 2: |
42 |
+ permissions['uid'] = portage_uid |
43 |
+ if portage.data.secpass >= 1: |
44 |
+ permissions['gid'] = portage_gid |
45 |
+ |
46 |
+ # Apply PORTAGE_WORKDIR_MODE to PORTAGE_BUILDDIR, since the child |
47 |
+ # directory ${D} and its children may have vulnerable permissions |
48 |
+ # as reported in bug 692492. |
49 |
+ ensure_dirs(mysettings["PORTAGE_BUILDDIR"], **permissions) |
50 |
+ ensure_dirs(mysettings["WORKDIR"], **permissions) |
51 |
|
52 |
if mysettings.get("PORTAGE_LOGDIR", "") == "": |
53 |
while "PORTAGE_LOGDIR" in mysettings: |
54 |
-- |
55 |
2.24.1 |