Browse Source

don't drop privileges if _apt has not enough rights

Privilege dropping breaks download/source/changelog commands as they
require the _apt user to have write permissions in the current directory,
which is e.g. the case in /tmp, but not in /root, so we disable the
privilege dropping if we deal with such a directory based on idea and
code by Michael Vogt.

The alternative would be to download always to a temp directory and move
it then done, but this breaks partial file support. To resolve this, we
could move to one of our partial/ directories, but this would require a
lock which would block root from using two of these commands in
parallel. As both seems unacceptable we instead let the user choose what
to do: Either a directory is setupped for _apt, downloading as root is
accepted or – which is potentially even better – an unprivileged user is
used for the commands.
debian/1.8.y
David Kalnischkies 7 years ago
parent
commit
460601d530
  1. 50
      apt-private/private-download.cc
  2. 6
      apt-private/private-download.h
  3. 19
      cmdline/apt-get.cc
  4. 5
      cmdline/apt-helper.cc

50
apt-private/private-download.cc

@ -5,6 +5,7 @@
#include <apt-pkg/acquire-item.h>
#include <apt-pkg/configuration.h>
#include <apt-pkg/error.h>
#include <apt-pkg/fileutl.h>
#include <apt-pkg/strutl.h>
#include <apt-private/private-output.h>
@ -14,9 +15,56 @@
#include <string>
#include <vector>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <fcntl.h>
#include <apti18n.h>
/*}}}*/
bool CheckDropPrivsMustBeDisabled(pkgAcquire &Fetcher) /*{{{*/
{
// no need/possibility to drop privs
if(getuid() != 0)
return true;
// the user does not want to drop privs
std::string SandboxUser = _config->Find("APT::Sandbox::User");
if (SandboxUser.empty())
return true;
struct passwd const * const pw = getpwnam(SandboxUser.c_str());
if (pw == NULL)
return true;
if (seteuid(pw->pw_uid) != 0)
return _error->Errno("seteuid", "seteuid %u failed", pw->pw_uid);
bool res = true;
// check if we can write to destfile
for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin();
I != Fetcher.ItemsEnd() && res == true; ++I)
{
int fd = open((*I)->DestFile.c_str(), O_CREAT | O_RDWR, 0600);
if (fd < 0)
{
res = false;
std::string msg;
strprintf(msg, _("Can't drop privileges for downloading as file '%s' couldn't be accessed by user '%s'."),
(*I)->DestFile.c_str(), SandboxUser.c_str());
c0out << msg << std::endl;
_config->Set("APT::Sandbox::User", "");
}
close(fd);
}
if (seteuid(0) != 0)
return _error->Errno("seteuid", "seteuid %u failed", 0);
return res;
}
/*}}}*/
// CheckAuth - check if each download comes form a trusted source /*{{{*/
bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser)
{
@ -31,7 +79,7 @@ bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser)
return AuthPrompt(UntrustedList, PromptUser);
}
bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
bool AuthPrompt(std::string const &UntrustedList, bool const PromptUser)
{
ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");

6
apt-private/private-download.h

@ -3,14 +3,18 @@
#include <apt-pkg/macros.h>
#include <string>
class pkgAcquire;
APT_PUBLIC bool CheckDropPrivsMustBeDisabled(pkgAcquire &Fetcher);
// Check if all files in the fetcher are authenticated
APT_PUBLIC bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser);
// show a authentication warning prompt and return true if the system
// should continue
APT_PUBLIC bool AuthPrompt(std::string UntrustedList, bool const PromptUser);
APT_PUBLIC bool AuthPrompt(std::string const &UntrustedList, bool const PromptUser);
APT_PUBLIC bool AcquireRun(pkgAcquire &Fetcher, int const PulseInterval, bool * const Failure, bool * const TransientNetworkFailure);

19
cmdline/apt-get.cc

@ -676,6 +676,9 @@ static bool DoDownload(CommandLine &CmdL)
return true;
}
// Disable drop-privs if "_apt" can not write to the target dir
CheckDropPrivsMustBeDisabled(Fetcher);
if (_error->PendingError() == true || CheckAuth(Fetcher, false) == false)
return false;
@ -858,10 +861,6 @@ static bool DoSource(CommandLine &CmdL)
}
}
// check authentication status of the source as well
if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
return false;
// Display statistics
unsigned long long FetchBytes = Fetcher.FetchNeeded();
unsigned long long FetchPBytes = Fetcher.PartialPresent();
@ -908,7 +907,7 @@ static bool DoSource(CommandLine &CmdL)
ioprintf(cout,_("Fetch source %s\n"),Dsc[I].Package.c_str());
return true;
}
// Just print out the uris an exit if the --print-uris flag was used
if (_config->FindB("APT::Get::Print-URIs") == true)
{
@ -919,6 +918,13 @@ static bool DoSource(CommandLine &CmdL)
return true;
}
// Disable drop-privs if "_apt" can not write to the target dir
CheckDropPrivsMustBeDisabled(Fetcher);
// check authentication status of the source as well
if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
return false;
// Run it
bool Failed = false;
if (AcquireRun(Fetcher, 0, &Failed, NULL) == false || Failed == true)
@ -1510,6 +1516,9 @@ static bool DownloadChangelog(CacheFile &CacheFile, pkgAcquire &Fetcher,
// queue it
new pkgAcqFile(&Fetcher, changelog_uri, "", 0, descr, Pkg.Name(), "ignored", targetfile);
// Disable drop-privs if "_apt" can not write to the target dir
CheckDropPrivsMustBeDisabled(Fetcher);
// try downloading it, if that fails, try third-party-changelogs location
// FIXME: Fetcher.Run() is "Continue" even if I get a 404?!?
Fetcher.Run();

5
cmdline/apt-helper.cc

@ -59,7 +59,10 @@ static bool DoDownloadFile(CommandLine &CmdL)
// we use download_uri as descr and targetfile as short-descr
new pkgAcqFile(&Fetcher, download_uri, hash, 0, download_uri, targetfile,
"dest-dir-ignored", targetfile);
Fetcher.Run();
// Disable drop-privs if "_apt" can not write to the target dir
CheckDropPrivsMustBeDisabled(Fetcher);
bool Failed = false;
if (AcquireRun(Fetcher, 0, &Failed, NULL) == false || Failed == true ||
FileExists(targetfile) == false)

Loading…
Cancel
Save