diff options
author | Julian Andres Klode <jak@debian.org> | 2017-10-22 19:02:53 +0200 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2017-10-22 19:10:57 +0200 |
commit | 0934b6b023b46cd0e2e5fa55a23a054b2feeb618 (patch) | |
tree | 3f3e426099d9d62419084843d06a7c6bb64bc85e /apt-pkg/contrib/fileutl.cc | |
parent | 1a76517470ebc2dd3f96e39ebe6f3706d6dd78da (diff) |
Run the ProxyAutoDetect script in the sandbox again
The previous change moved running the proxy detection program from the
method to the main process, so it runs as root and not as _apt. This
brings it back into the sandbox.
Gbp-Dch: ignore
Diffstat (limited to 'apt-pkg/contrib/fileutl.cc')
-rw-r--r-- | apt-pkg/contrib/fileutl.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 72813f4c3..6cc7414b0 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -2913,6 +2913,11 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode)/ /*}}}*/ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode, bool CaptureStderr)/*{{{*/ { + return Popen(Args, Fd, Child, Mode, CaptureStderr, false); +} + /*}}}*/ +bool Popen(const char *Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode, bool CaptureStderr, bool Sandbox) /*{{{*/ +{ int fd; if (Mode != FileFd::ReadOnly && Mode != FileFd::WriteOnly) return _error->Error("Popen supports ReadOnly (x)or WriteOnly mode only"); @@ -2929,6 +2934,11 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode, return _error->Errno("fork", "Failed to fork"); if(Child == 0) { + if (Sandbox && (getuid() == 0 || geteuid() == 0) && !DropPrivileges()) + { + _error->DumpErrors(); + _exit(1); + } if(Mode == FileFd::ReadOnly) { close(Pipe[0]); |