summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib/fileutl.cc
AgeCommit message (Collapse)Author
2015-08-13Use setresuid() and setresgid() where availableJulian Andres Klode
2015-08-13Deprecate SPtrArray<T> and convert everyone to unique_ptr<T[]>Julian Andres Klode
More standardization
2015-08-11ExecFork: Use /proc/self/fd to determine which files to closeJulian Andres Klode
This significantly reduces the number of files that have to be closed and seems to be faster, despite the additional reads. On systems where /proc/self/fd is not available, we fallback to the old code that closes all file descriptors >= 3. Closes: #764204
2015-08-10elimate duplicated code in pkgIndexFile subclassesDavid Kalnischkies
Trade deduplication of code for a bunch of new virtuals, so it is actually visible how the different indexes behave cleaning up the interface at large in the process. Git-Dch: Ignore
2015-08-10make all d-pointer * const pointersDavid Kalnischkies
Doing this disables the implicit copy assignment operator (among others) which would cause hovac if used on the classes as it would just copy the pointer, not the data the d-pointer points to. For most of the classes we don't need a copy assignment operator anyway and in many classes it was broken before as many contain a pointer of some sort. Only for our Cacheset Container interfaces we define an explicit copy assignment operator which could later be implemented to copy the data from one d-pointer to the other if we need it. Git-Dch: Ignore
2015-05-22Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: apt-pkg/pkgcache.h debian/changelog methods/https.cc methods/server.cc test/integration/test-apt-download-progress
2015-04-28Move sysconf(_SC_OPEN_MAX); out of the for() loop to avoid unneeded syscallsMichael Vogt
2015-04-19ensure lists/ files have correct permissions after apt-cdrom addDavid Kalnischkies
Its a bit unpredictable which permissons and owners we will encounter on a CD-ROM (or a USB stick, as apt-cdrom is responsible for those too), so we have to ensure in this codepath as well that everything is nicely setup without waiting for a 'apt-get update' to fix up the (potential) mess.
2014-10-20test if TMPDIR is accessible before usingDavid Kalnischkies
Private temporary directories as created by e.g. libpam-tmpdir are nice, but they are also very effective in preventing our priviledge dropping to work as TMPDIR will be set to a directory only root has access to, so working with it as _apt will fail. We circumvent this by extending our check for a usable TMPDIR setting by checking access rights. Closes: 765951
2014-10-15set PR_SET_NO_NEW_PRIVS even if sandbox is disabledDavid Kalnischkies
Similar to 8f45798d532223adc378a4ad9ecfc64b3be26e4f, there is no harm to set this, even if we don't drop privileges. Git-Dch: Ignore
2014-10-13Fix backward compatiblity of the new pkgAcquireMethod::DropPrivsOrDie()Michael Vogt
Do not drop privileges in the methods when using a older version of libapt that does not support the chown magic in partial/ yet. To do this DropPrivileges() now will ignore a empty Apt::Sandbox::User. Cleanup all hardcoded _apt along the way.
2014-10-08Merge remote-tracking branch 'mvo/feature/acq-trans' into debian/experimentalMichael Vogt
2014-10-07set PR_SET_NO_NEW_PRIVS also if run as non-rootDavid Kalnischkies
Changing user and co works only as root, but can do some things for methods run as normal user as well to protect them from being able to call setuid binaries like sudo to elevate their privileges. Also uses a cheap trick now to build with old unsupporting kernels.
2014-10-07fix foldmarkers in fileutl.ccDavid Kalnischkies
Git-Dch: Ignore
2014-10-07Ignore EINVAL from prctl(PR_SET_NO_NEW_PRIVS)Michael Vogt
Ignore a EINVAL error here as it means that the kernel is too old to understand this option. We should not fail hard in this case but just ignore the error. closes: 764066
2014-10-07Rename DropPrivs() to DropPrivileges()Michael Vogt
Git-Dch: ignore
2014-09-29Adjust DestFile in ReverifyAfterIMS() to not include compr ExtensionMichael Vogt
2014-09-27fix: Consecutive return, break, continue, goto or throw statements are ↵David Kalnischkies
unnecessary. Git-Dch: Ignore Reported-By: cppcheck
2014-09-27fix: Member variable 'X' is not initialized in the constructor.David Kalnischkies
Reported-By: cppcheck Git-Dch: Ignore
2014-09-24DropPrivs: Use APT::Sandbox::User instead of Apt::User::NobodyJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Hard-fail if the user does not existJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Add some comments for the more obscure setuid/setgid functionsJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Move the re-set uid/gid thing to the end of the functionJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Improve commentsJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Also check for saved set-user-ID and set-group-IDJulian Andres Klode
2014-09-24DropPrivs: Do not use an invalid return check for setgroups()Julian Andres Klode
setgroups() returns 0 on success Git-Dch: ignore
2014-09-24Use _apt as our unprivileged user nameJulian Andres Klode
Some people want to standardize on it, and BSDs do it too, so let's do the same. Reported-by: Paul Wise <pabs@debian.org>
2014-09-24DropPriv: Really call seteuid and not setuid, and add more checksJulian Andres Klode
The only thing we are missing is non-portable saved ids support.
2014-09-24Drop Privileges to "Debian-apt" in most acquire methodsMichael Vogt
Add a new "Debian-apt" user that owns the /var/lib/apt/lists and /var/cache/apt/archive directories. The methods http, https, ftp, gpgv, gzip switch to this user when they start. Thanks to Julian and "ioerror" and tors "switch_id()" code.
2014-06-18Merge remote-tracking branch 'mvo/feature/drop-rights' into debian/experimentalMichael Vogt
Conflicts: apt-pkg/contrib/fileutl.cc apt-pkg/contrib/fileutl.h
2014-06-18Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: debian/changelog
2014-06-11DropPrivs in the solvers (just to be on the safe side)Michael Vogt
2014-05-30without a filename we can't stat pipesDavid Kalnischkies
EDSP code uses pipes opened via an FD as sources and later for those files modification times and filesize are read - but never really used again. The result we get from FileFd is probably wrong, but as we don't use it anyway, we just don't fallback if we have nothing to fallback to Git-Dch: Ignore
2014-05-27use free() instead of delete() when realloc is usedMichael Vogt
ContentsExtract::~ContentsExtract() needs to use free() because Data got allocated via realloc() Reported-By: clang -fsanitize=address -fno-omit-frame-pointer
2014-05-07Merge remote-tracking branch 'mvo/feature/apt-install-deb' into ↵Michael Vogt
debian/experimental
2014-05-07Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: apt-pkg/cachefilter.h apt-pkg/contrib/fileutl.cc apt-pkg/contrib/netrc.h apt-pkg/deb/debsrcrecords.cc apt-pkg/init.h apt-pkg/pkgcache.cc debian/apt.install.in debian/changelog
2014-04-28Merge branch 'feature/abspath' into feature/apt-install-debMichael Vogt
Conflicts: test/libapt/fileutl_test.cc
2014-04-28add flAbsPath() as a wrapper to realpath()Michael Vogt
2014-04-28Merge branch 'feature/popen' into feature/apt-install-debMichael Vogt
2014-04-28Implement Popen() execv helper to avoid popen()Michael Vogt
2014-04-28WIP local deb installMichael Vogt
2014-04-26fix FileFd::Size bitswap on big-endian architecturesAdam Conrad
gzip only gives us 32bit of size, storing it in a 64bit container and doing a 32bit flip on it has therefore unintended results. So we just go with a exact size container and let the flipping be handled by eglibc provided le32toh removing our #ifdef machinery. Closes: 745866
2014-04-16clear HitEof flag in FileFd::SeekDavid Kalnischkies
fseek and co do this to their eof-flags and it is more logic this way as we will usually seek away from the end (e.g. to re-read the file). The commit also improves the testcase further and adds a test for the binary compressor codepath (as gz, bzip2 and xz are handled by libraries) via the use of 'rev' as a 'compressor'.
2014-04-11deal with umask only if we really need to for mkstempDavid Kalnischkies
As the comment actually says: open() does the umask dance by itself, so we don't need to do it for it. We have to do it after mkstemp in Atomic though, so move it into the if. Also removes the "micro-optimisation" "FilePermissions == 600" as it doesn't trigger at the moment anyway as 600 != 0600.
2014-04-11don't double-count seeks in FileFd::Skip for bzip/xzDavid Kalnischkies
FileFd::Read already deals with the increase of the skipposition so that we as the caller in FileFd::Skip really shouldn't increase it, too.
2014-04-10improve umask/fchmod code readabilityMichael Vogt
2014-04-10Rename FileFd::Open() Perms to AccessModeMichael Vogt
Bug lp:#1304657 was caused by confusion around the name Perms. The new name AccessMode should make it clear that its not the literal file permissions but instead the AccessMode passed to open() (i.e. the umask needs to be applied)
2014-04-10Fix insecure file permissions when using FileFd with OpenMode::AtomicMichael Vogt
Commit 7335eebea6dd43581d4650a8818b06383ab89901 introduced a bug that caused FileFd to create insecure permissions when FileFd::Atomic is used. This commit fixes the permissions and adds a test. The bug is most likely caused by the confusing "Perm" parameter that is passed to Open() - its not the file permissions but intead the "mode" part of open/creat.
2014-04-01Add new Debug::RunScripts optionMichael Vogt
This debug option will display all scripts that are run by apts RunScripts and RunScriptsWithPkgs helpers.
2014-03-21continue reading in xz even if it outputs nothingDavid Kalnischkies
It can happen that content in our buffer is not enough to produce a meaningful output in which case no output is created by liblzma, but still reports that everything is okay and we should go on. The code assumes it has reached the end through if it encounters a null read, so this commit makes it so that it looks like this read was interrupted just like the lowlevel read() on uncompressed files could. It subsequently fixes the issue with that as well as until now our loop would still break even if we wanted it to continue on. (This bug triggers our usual "Hash sum mismatch" error) Reported-By: Stefan Lippers-Hollmann <s.L-H@gmx.de>