| 1 |
Must be old age setting in :( |
| 2 |
|
| 3 |
Thanks, |
| 4 |
|
| 5 |
-A |
| 6 |
|
| 7 |
On Fri, Sep 8, 2017 at 2:54 PM, Michał Górny <mgorny@g.o> wrote: |
| 8 |
|
| 9 |
> W dniu pią, 08.09.2017 o godzinie 14∶48 -0400, użytkownik Alec Warner |
| 10 |
> napisał: |
| 11 |
> > Why PATH=/dev/null vs export PATH="" |
| 12 |
> |
| 13 |
> + # note: we can't use empty because it implies current directory |
| 14 |
> |
| 15 |
> > |
| 16 |
> > On Thu, Sep 7, 2017 at 3:36 AM, Michał Górny <mgorny@g.o> wrote: |
| 17 |
> > |
| 18 |
> > > Dnia 31 sierpnia 2017 22:45:42 CEST, "Michał Górny" <mgorny@g.o |
| 19 |
> > |
| 20 |
> > > napisał(a): |
| 21 |
> > > > Set PATH to /dev/null when sourcing the ebuild for dependency |
| 22 |
> > > > resolution |
| 23 |
> > > > in order to prevent shell from finding external commands via PATH |
| 24 |
> > > > lookup. While this does not prevent executing programs via full path, |
| 25 |
> > > > it |
| 26 |
> > > > should catch the majority of accidental uses. |
| 27 |
> > > > |
| 28 |
> > > > Closes: https://github.com/gentoo/portage/pull/199 |
| 29 |
> > > > |
| 30 |
> > > > // Note: this can't be merged right now since we still have ebuilds |
| 31 |
> > > > // calling external commands; see: |
| 32 |
> > > > // https://bugs.gentoo.org/show_bug.cgi?id=629222 |
| 33 |
> > > |
| 34 |
> > > Update: gentoo is green now |
| 35 |
> > > |
| 36 |
> > > > --- |
| 37 |
> > > > bin/ebuild.sh | 6 +++++- |
| 38 |
> > > > bin/isolated-functions.sh | 4 ++++ |
| 39 |
> > > > 2 files changed, 9 insertions(+), 1 deletion(-) |
| 40 |
> > > > |
| 41 |
> > > > diff --git a/bin/ebuild.sh b/bin/ebuild.sh |
| 42 |
> > > > index c23561651..94a44d534 100755 |
| 43 |
> > > > --- a/bin/ebuild.sh |
| 44 |
> > > > +++ b/bin/ebuild.sh |
| 45 |
> > > > @@ -80,8 +80,12 @@ else |
| 46 |
> > > > done |
| 47 |
> > > > unset funcs x |
| 48 |
> > > > |
| 49 |
> > > > + # prevent the shell from finding external executables |
| 50 |
> > > > + # note: we can't use empty because it implies current |
| 51 |
> directory |
| 52 |
> > > > + _PORTAGE_ORIG_PATH=${PATH} |
| 53 |
> > > > + export PATH=/dev/null |
| 54 |
> > > > command_not_found_handle() { |
| 55 |
> > > > - die "Command not found while sourcing ebuild: ${*}" |
| 56 |
> > > > + die "External commands disallowed while sourcing |
| 57 |
> ebuild: |
| 58 |
> > > |
| 59 |
> > > ${*}" |
| 60 |
> > > > } |
| 61 |
> > > > fi |
| 62 |
> > > > |
| 63 |
> > > > diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh |
| 64 |
> > > > index e320f7132..b28e44f18 100644 |
| 65 |
> > > > --- a/bin/isolated-functions.sh |
| 66 |
> > > > +++ b/bin/isolated-functions.sh |
| 67 |
> > > > @@ -121,6 +121,10 @@ __helpers_die() { |
| 68 |
> > > > } |
| 69 |
> > > > |
| 70 |
> > > > die() { |
| 71 |
> > > > + # restore PATH since die calls basename & sed |
| 72 |
> > > > + # TODO: make it pure bash |
| 73 |
> > > > + [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH} |
| 74 |
> > > > + |
| 75 |
> > > > set +x # tracing only produces useless noise here |
| 76 |
> > > > local IFS=$' \t\n' |
| 77 |
> > > > |
| 78 |
> > > |
| 79 |
> > > |
| 80 |
> > > -- |
| 81 |
> > > Best regards, |
| 82 |
> > > Michał Górny (by phone) |
| 83 |
> > > |
| 84 |
> > > |
| 85 |
> |
| 86 |
> -- |
| 87 |
> Best regards, |
| 88 |
> Michał Górny |
| 89 |
> |
| 90 |
> |
| 91 |
> |
Archives