Gentoo Archives: gentoo-portage-dev

From:	Zac Medico <zmedico@g.o>
To:	gentoo-portage-dev@l.g.o
Cc:	Zac Medico <zmedico@g.o>
Subject:	[gentoo-portage-dev] [PATCH] _prepare_workdir: apply PORTAGE_WORKDIR_MODE to PORTAGE_BUILDDIR (bug 692492)
Date:	Sun, 15 Mar 2020 00:48:26
Message-Id:	`20200315004608.64770-1-zmedico@gentoo.org`

1	Apply secure PORTAGE_WORKDIR_MODE permissions to PORTAGE_BUILDDIR,
2	since the child directory ${D} and its children may have vulnerable
3	permissions as reported in bug 692492.
4
5	Bug: https://bugs.gentoo.org/692492
6	Signed-off-by: Zac Medico <zmedico@g.o>
7	---
8	.../package/ebuild/prepare_build_dirs.py \| 21 ++++++++++++-------
9	1 file changed, 14 insertions(+), 7 deletions(-)
10
11	diff --git a/lib/portage/package/ebuild/prepare_build_dirs.py b/lib/portage/package/ebuild/prepare_build_dirs.py
12	index c325819d1..8349d306f 100644
13	--- a/lib/portage/package/ebuild/prepare_build_dirs.py
14	+++ b/lib/portage/package/ebuild/prepare_build_dirs.py
15	@@ -1,4 +1,4 @@
16	-# Copyright 2010-2018 Gentoo Foundation
17	+# Copyright 2010-2020 Gentoo Authors
18	# Distributed under the terms of the GNU General Public License v2
19
20	from __future__ import unicode_literals
21	@@ -84,7 +84,7 @@ def prepare_build_dirs(myroot=None, settings=None, cleanup=False):
22	except PortageException:
23	if not os.path.isdir(mydir):
24	raise
25	- for dir_key in ("PORTAGE_BUILDDIR", "HOME", "PKG_LOGDIR", "T"):
26	+ for dir_key in ("HOME", "PKG_LOGDIR", "T"):
27	ensure_dirs(mysettings[dir_key], mode=0o755)
28	apply_secpass_permissions(mysettings[dir_key],
29	uid=portage_uid, gid=portage_gid)
30	@@ -272,11 +272,18 @@ def _prepare_workdir(mysettings):
31	writemsg(_("!!! Unable to parse PORTAGE_WORKDIR_MODE='%s', using %s.\n") % \
32	(mysettings["PORTAGE_WORKDIR_MODE"], oct(workdir_mode)))
33	mysettings["PORTAGE_WORKDIR_MODE"] = oct(workdir_mode).replace('o', '')
34	- try:
35	- apply_secpass_permissions(mysettings["WORKDIR"],
36	- uid=portage_uid, gid=portage_gid, mode=workdir_mode)
37	- except FileNotFound:
38	- pass # ebuild.sh will create it
39	+
40	+ permissions = {'mode': workdir_mode}
41	+ if portage.data.secpass >= 2:
42	+ permissions['uid'] = portage_uid
43	+ if portage.data.secpass >= 1:
44	+ permissions['gid'] = portage_gid
45	+
46	+ # Apply PORTAGE_WORKDIR_MODE to PORTAGE_BUILDDIR, since the child
47	+ # directory ${D} and its children may have vulnerable permissions
48	+ # as reported in bug 692492.
49	+ ensure_dirs(mysettings["PORTAGE_BUILDDIR"], **permissions)
50	+ ensure_dirs(mysettings["WORKDIR"], **permissions)
51
52	if mysettings.get("PORTAGE_LOGDIR", "") == "":
53	while "PORTAGE_LOGDIR" in mysettings:
54	--
55	2.24.1

Report Message

Find on MARC Find on Google Groups