summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib
AgeCommit message (Collapse)Author
2014-10-20test if TMPDIR is accessible before usingDavid Kalnischkies
Private temporary directories as created by e.g. libpam-tmpdir are nice, but they are also very effective in preventing our priviledge dropping to work as TMPDIR will be set to a directory only root has access to, so working with it as _apt will fail. We circumvent this by extending our check for a usable TMPDIR setting by checking access rights. Closes: 765951
2014-10-15set PR_SET_NO_NEW_PRIVS even if sandbox is disabledDavid Kalnischkies
Similar to 8f45798d532223adc378a4ad9ecfc64b3be26e4f, there is no harm to set this, even if we don't drop privileges. Git-Dch: Ignore
2014-10-13Fix backward compatiblity of the new pkgAcquireMethod::DropPrivsOrDie()Michael Vogt
Do not drop privileges in the methods when using a older version of libapt that does not support the chown magic in partial/ yet. To do this DropPrivileges() now will ignore a empty Apt::Sandbox::User. Cleanup all hardcoded _apt along the way.
2014-10-08Merge remote-tracking branch 'mvo/feature/acq-trans' into debian/experimentalMichael Vogt
2014-10-07set PR_SET_NO_NEW_PRIVS also if run as non-rootDavid Kalnischkies
Changing user and co works only as root, but can do some things for methods run as normal user as well to protect them from being able to call setuid binaries like sudo to elevate their privileges. Also uses a cheap trick now to build with old unsupporting kernels.
2014-10-07fix foldmarkers in fileutl.ccDavid Kalnischkies
Git-Dch: Ignore
2014-10-07Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt
feature/acq-trans Conflicts: apt-pkg/acquire-item.cc
2014-10-07Ignore EINVAL from prctl(PR_SET_NO_NEW_PRIVS)Michael Vogt
Ignore a EINVAL error here as it means that the kernel is too old to understand this option. We should not fail hard in this case but just ignore the error. closes: 764066
2014-10-07Rename DropPrivs() to DropPrivileges()Michael Vogt
Git-Dch: ignore
2014-10-03Bump library version to libapt-pkg4.14Michael Vogt
2014-09-30support parsing of all hashes for pdiffDavid Kalnischkies
The fileformat of a pdiff index stores currently only SHA1 hashes. With this change, we look for all other hashes we support as well and take what we get, so that we can work after the release of jessie to get right of SHA1 if we want to. Note that the completely patched file is and was checked against the hashes collected from the Release file, so this transition isn't mission critical.
2014-09-30mark private methods as hiddenDavid Kalnischkies
We are the only possible users of private methods, so we are also the only users who can potentially export them via using them in inline methods. The point is: We don't need these symbols exported if we don't do this, so marking them as hidden removes some methods from the API without breaking anything as nobody could have used them. Git-Dch: Ignore
2014-09-29fix Configuration::FindVector APIDavid Kalnischkies
Git-Dch: Ignore
2014-09-29Adjust DestFile in ReverifyAfterIMS() to not include compr ExtensionMichael Vogt
2014-09-28allow options between command and -- on commandlineDavid Kalnischkies
This used to work before we implemented a stricter commandline parser and e.g. the dd-schroot-cmd command constructs commandlines like this. Reported-By: Helmut Grohne
2014-09-27fix: Consecutive return, break, continue, goto or throw statements are ↵David Kalnischkies
unnecessary. Git-Dch: Ignore Reported-By: cppcheck
2014-09-27add and use 'apt-key verify' which prefers gpgv over gpgDavid Kalnischkies
gnupg/gnupg2 can do verify just fine of course, so we don't need to use gpgv here, but it is what we always used in the past, so there might be scripts expecting a certain output and more importantly the output of apt-cdrom contains messages from gpg and even with all the settings we activate to prevent it, it still shows (in some versions) a quiet scary: "gpg: WARNING: Using untrusted key!" message. Keeping the use of gpgv is the simplest way to prevent it. We are increasing also the "Breaks: apt" version from libapt as it requires a newer apt-key than might be installed in partial upgrades.
2014-09-27add --readonly option for apt-key advDavid Kalnischkies
Some advanced commands can be executed without the keyring being modified like --verify, so this adds an option to disable the mergeback and uses it for our gpg calling code. Git-Dch: Ignore
2014-09-27use apt-key adv (+ gnupg) instead of gpgv for verifyDavid Kalnischkies
apt-key does the keyring merge as we need it, so we just call it instead of reimplementing it to do the merging before gpgv. This means we don't use gpgv anymore (we never depended on it explicitly - bad style), but it also means that the message in apt-cdrom add is a bit less friendly as it says loudly "untrusted key", but for a one-time command its okay.
2014-09-27fix: Member variable 'X' is not initialized in the constructor.David Kalnischkies
Reported-By: cppcheck Git-Dch: Ignore
2014-09-24DropPrivs: Document what it doesJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Use APT::Sandbox::User instead of Apt::User::NobodyJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Hard-fail if the user does not existJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Add some comments for the more obscure setuid/setgid functionsJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Move the re-set uid/gid thing to the end of the functionJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Improve commentsJulian Andres Klode
Git-Dch: ignore
2014-09-24DropPrivs: Also check for saved set-user-ID and set-group-IDJulian Andres Klode
2014-09-24DropPrivs: Do not use an invalid return check for setgroups()Julian Andres Klode
setgroups() returns 0 on success Git-Dch: ignore
2014-09-24Use _apt as our unprivileged user nameJulian Andres Klode
Some people want to standardize on it, and BSDs do it too, so let's do the same. Reported-by: Paul Wise <pabs@debian.org>
2014-09-24DropPriv: Really call seteuid and not setuid, and add more checksJulian Andres Klode
The only thing we are missing is non-portable saved ids support.
2014-09-24Drop Privileges to "Debian-apt" in most acquire methodsMichael Vogt
Add a new "Debian-apt" user that owns the /var/lib/apt/lists and /var/cache/apt/archive directories. The methods http, https, ftp, gpgv, gzip switch to this user when they start. Thanks to Julian and "ioerror" and tors "switch_id()" code.
2014-09-23Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: apt-pkg/acquire-item.cc apt-pkg/acquire-item.h apt-pkg/cachefilter.h configure.ac debian/changelog
2014-09-16SECURITY UPDATE for CVE-2014-{0488,0487,0489}Michael Vogt
incorrect invalidating of unauthenticated data (CVE-2014-0488) incorect verification of 304 reply (CVE-2014-0487) incorrect verification of Acquire::Gzip indexes (CVE-2014-0489)
2014-09-12Allow override of Proxy-Auto-Detect by the users configurationMichael Vogt
Only run the Proxy-Auto-Detect code if there is not already a host specific configuration. Closes: 759264
2014-09-07strip everything spacey in APT::String::StripDavid Kalnischkies
Git-Dch: Ignore
2014-09-05Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: apt-pkg/acquire-item.cc configure.ac debian/changelog doc/apt-verbatim.ent doc/po/apt-doc.pot doc/po/de.po doc/po/es.po doc/po/fr.po doc/po/it.po doc/po/ja.po doc/po/pt.po po/ar.po po/ast.po po/bg.po po/bs.po po/ca.po po/cs.po po/cy.po po/da.po po/de.po po/dz.po po/el.po po/es.po po/eu.po po/fi.po po/fr.po po/gl.po po/hu.po po/it.po po/ja.po po/km.po po/ko.po po/ku.po po/lt.po po/mr.po po/nb.po po/ne.po po/nl.po po/nn.po po/pl.po po/pt.po po/pt_BR.po po/ro.po po/ru.po po/sk.po po/sl.po po/sv.po po/th.po po/tl.po po/tr.po po/uk.po po/vi.po po/zh_CN.po po/zh_TW.po test/integration/test-ubuntu-bug-346386-apt-get-update-paywall
2014-09-02Make Proxy-Auto-Detect check for each hostMichael Vogt
When doing Acquire::http{,s}::Proxy-Auto-Detect, run the auto-detect command for each host instead of only once. This should make using "proxy" from libproxy-tools feasible which can then be used for PAC style or other proxy configurations. Closes: #759264
2014-07-16StringToBool: only act if the entire string is consumed by strtol()Michael Vogt
StringToBool uses strtol() internally to check if the argument is a number. This function stops when it does not find any more numbers. So a string like "0ad" (which is a valid packagename) is interpreted as a "0". The code now checks that the entire string is consumed not just a part of it. Thanks to Johannes Schauer for raising this issue.
2014-07-08Only allow "apt-get build-dep path" when path starts with ./ or /Michael Vogt
This avoid the subtle problem that someone might have a directory with the same package name as the build-depends he/she is trying to fetch. Also print a note that the specific file/dir is used.
2014-07-08Add new Base256ToNum long long overload functionGuillem Jover
2014-06-18Merge remote-tracking branch 'donkult/debian/sid' into debian/experimentalMichael Vogt
Conflicts: apt-private/private-install.cc
2014-06-18fix SubstVar to be usable as a replace_all methodDavid Kalnischkies
The name suggests that it is supposed to substitute a variable with a value, but we tend to use it in a more liberal replace_all() fashion, but this breaks if either of the parameters is empty or more importantly if two "variable" occurrences follow each other directly.
2014-06-18Merge remote-tracking branch 'mvo/feature/drop-rights' into debian/experimentalMichael Vogt
Conflicts: apt-pkg/contrib/fileutl.cc apt-pkg/contrib/fileutl.h
2014-06-18Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: debian/changelog
2014-06-11DropPrivs in the solvers (just to be on the safe side)Michael Vogt
2014-05-30without a filename we can't stat pipesDavid Kalnischkies
EDSP code uses pipes opened via an FD as sources and later for those files modification times and filesize are read - but never really used again. The result we get from FileFd is probably wrong, but as we don't use it anyway, we just don't fallback if we have nothing to fallback to Git-Dch: Ignore
2014-05-27use free() instead of delete() when realloc is usedMichael Vogt
ContentsExtract::~ContentsExtract() needs to use free() because Data got allocated via realloc() Reported-By: clang -fsanitize=address -fno-omit-frame-pointer
2014-05-09use HashStringList in the acquire systemDavid Kalnischkies
It is not very extensible to have the supported Hashes hardcoded everywhere and especially if it is part of virtual method names. It is also possible that a method does not support the 'best' hash (yet), so we might end up not being able to verify a file even though we have a common subset of supported hashes. And those are just two of the cases in which it is handy to have a more dynamic selection. The downside is that this is a MAJOR API break, but the HashStringList has a string constructor for compatibility, so with a bit of luck the few frontends playing with the acquire system directly are okay.
2014-05-09add a simple container for HashStringsDavid Kalnischkies
APT supports more than just one HashString and even allows to enforce the usage of a specific hash. This class is intended to help with storage and passing around of the HashStrings. Git-Dch: Ignore
2014-05-08Merge remote-tracking branch 'mvo/bugfix/update-progress-reporting' into ↵Michael Vogt
debian/experimental