diff options
| -rw-r--r-- | cmdline/apt-helper.cc | 17 | ||||
| -rw-r--r-- | doc/examples/configure-index | 25 | ||||
| -rwxr-xr-x | test/integration/test-apt-helper | 7 |
3 files changed, 43 insertions, 6 deletions
diff --git a/cmdline/apt-helper.cc b/cmdline/apt-helper.cc index d1a3b4e6e..beac0efba 100644 --- a/cmdline/apt-helper.cc +++ b/cmdline/apt-helper.cc @@ -219,6 +219,22 @@ static bool DoWaitOnline(CommandLine &) return _error->PendingError() == false; } /*}}}*/ +static bool DropPrivsAndRun(CommandLine &CmdL) /*{{{*/ +{ + if (CmdL.FileSize() < 2) + return _error->Error("No command given to run without privileges"); + if (DropPrivileges() == false) + return _error->Error("Dropping Privileges failed, not executing '%s'", CmdL.FileList[1]); + + std::vector<char const *> Args; + Args.reserve(CmdL.FileSize() + 1); + for (auto a = CmdL.FileList + 1; *a != nullptr; ++a) + Args.push_back(*a); + Args.push_back(nullptr); + auto const pid = ExecuteProcess(Args.data()); + return ExecWait(pid, CmdL.FileList[1]); +} + /*}}}*/ static bool ShowHelp(CommandLine &) /*{{{*/ { std::cout << @@ -239,6 +255,7 @@ static std::vector<aptDispatchWithHelp> GetCommands() /*{{{*/ {"cat-file", &DoCatFile, _("concatenate files, with automatic decompression")}, {"auto-detect-proxy", &DoAutoDetectProxy, _("detect proxy using apt.conf")}, {"wait-online", &DoWaitOnline, _("wait for system to be online")}, + {"drop-privs", &DropPrivsAndRun, _("drop privileges before running given command")}, {nullptr, nullptr, nullptr}}; } /*}}}*/ diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 9088bd844..b5a0b5657 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -533,7 +533,6 @@ Debug pkgAcqArchive::NoQueue "<BOOL>"; Hashes "<BOOL>"; APT::FtpArchive::Clean "<BOOL>"; - NoDropPrivs "<BOOL>"; EDSP::WriteSolution "<BOOL>"; InstallProgress::Fancy "<BOOL>"; APT::Progress::PackageManagerFd "<BOOL>"; @@ -596,6 +595,25 @@ APT::FTPArchive::release Version "<STRING>"; }; +Debug::NoDropPrivs "<BOOL>"; +APT::Sandbox +{ + User "<STRING>"; + ResetEnvironment "<BOOL>"; + Verify "<BOOL>" + { + Groups "<BOOL>"; + IDs "<BOOL>"; + Regain "<BOOL>"; + }; + seccomp "<BOOL>" + { + print "<BOOL>"; // print what syscall was trapped + allow "<LIST>"; + trap "<LIST>"; + }; +}; + // having both seems wrong dpkgpm::progress "<BOOL>"; dpkg::progress "<BOOL>"; @@ -638,11 +656,6 @@ apt::solver "<STRING>"; apt::planner "<STRING>"; apt::system "<STRING>"; apt::acquire::translation "<STRING>"; // deprecated in favor of Acquire::Languages -apt::sandbox::user "<STRING>"; -apt::sandbox::seccomp "<BOOL>"; -apt::sandbox::seccomp::print "<BOOL>"; // print what syscall was trapped -apt::sandbox::seccomp::allow "<LIST>"; -apt::sandbox::seccomp::trap "<LIST>"; apt::color::highlight "<STRING>"; apt::color::neutral "<STRING>"; diff --git a/test/integration/test-apt-helper b/test/integration/test-apt-helper index fda28968f..ae1ca7456 100755 --- a/test/integration/test-apt-helper +++ b/test/integration/test-apt-helper @@ -123,3 +123,10 @@ testfailureequal 'E: Must specify at least one SRV record' apthelper srv-lookup testfailureequal 'E: GetSrvRec failed for localhost' apthelper -q=1 srv-lookup 'localhost' testfailureequal "E: GetSrvRec failed for localhost:${APTHTTPPORT}" apthelper -q=1 srv-lookup "localhost:${APTHTTPPORT}" testfailureequal "E: GetSrvRec failed for localhost:${APTHTTPSPORT}" apthelper -q=1 srv-lookup "localhost:${APTHTTPSPORT}" + +msgmsg 'apt-helper' 'drop-privs' +testfailureequal "E: No command given to run without privileges" apthelper drop-privs +testsuccess apthelper -- drop-privs true +testsuccess apthelper drop-privs -- true +DATE="$(date -u +'%Y-%m-%d')" +testsuccessequal "$DATE" apthelper drop-privs -- date -u -d "$DATE" +'%Y-%m-%d' |