From 30c8107e9c56d7d78dcf9136f94aeed9d631dfb3 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 4 Nov 2015 13:19:14 +0100 Subject: drop privileges in copy:// method as we do for file:// Continueing on the track of dropping privileges in all methods, lets drop it in copy, too, as the reasoning for it is very similar to file and the interaction between the too quiet interesting as copy kinda surfed as a fallback for file not being able to read the file. Both now show a better error message as well as it was previously claiming to have a hashsum mismatch, given that it couldn't read the file. Git-Dch: Ignore --- apt-private/private-download.cc | 2 + methods/aptmethod.h | 37 +++++++++++ methods/copy.cc | 26 ++------ methods/file.cc | 29 ++++----- test/integration/test-apt-get-download | 72 ++++++++++++++-------- .../integration/test-apt-get-update-unauth-warning | 19 +----- .../test-apt-update-failure-propagation | 6 +- test/integration/test-apt-update-file | 9 ++- 8 files changed, 114 insertions(+), 86 deletions(-) create mode 100644 methods/aptmethod.h diff --git a/apt-private/private-download.cc b/apt-private/private-download.cc index dcb604f2a..40312d0c8 100644 --- a/apt-private/private-download.cc +++ b/apt-private/private-download.cc @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -224,6 +225,7 @@ bool DoDownload(CommandLine &CmdL) std::ifstream src((*I)->DestFile.c_str(), std::ios::binary); std::ofstream dst(filename.c_str(), std::ios::binary); dst << src.rdbuf(); + chmod(filename.c_str(), 0644); } } return Failed == false; diff --git a/methods/aptmethod.h b/methods/aptmethod.h new file mode 100644 index 000000000..61d7b78f1 --- /dev/null +++ b/methods/aptmethod.h @@ -0,0 +1,37 @@ +#ifndef APT_APTMETHOD_H +#define APT_APTMETHOD_H + +#include + +#include + +class aptMethod : public pkgAcqMethod +{ + char const * const Binary; + public: + virtual bool Configuration(std::string Message) APT_OVERRIDE; + + bool CalculateHashes(FetchItem const * const Itm, FetchResult &Res) const; + + aptMethod(char const * const Binary, char const * const Ver, unsigned long const Flags) : pkgAcqMethod(Ver, Flags), Binary(Binary) {}; +}; +bool aptMethod::Configuration(std::string Message) +{ + if (pkgAcqMethod::Configuration(Message) == false) + return false; + + DropPrivsOrDie(); + + return true; +} +bool aptMethod::CalculateHashes(FetchItem const * const Itm, FetchResult &Res) const +{ + Hashes Hash(Itm->ExpectedHashes); + FileFd Fd; + if (Fd.Open(Res.Filename, FileFd::ReadOnly) == false || Hash.AddFD(Fd) == false) + return false; + Res.TakeHashes(Hash); + return true; +} + +#endif diff --git a/methods/copy.cc b/methods/copy.cc index 373ad3604..e515b2def 100644 --- a/methods/copy.cc +++ b/methods/copy.cc @@ -17,6 +17,7 @@ #include #include #include +#include "aptmethod.h" #include #include @@ -25,23 +26,14 @@ #include /*}}}*/ -class CopyMethod : public pkgAcqMethod +class CopyMethod : public aptMethod { virtual bool Fetch(FetchItem *Itm) APT_OVERRIDE; - void CalculateHashes(FetchItem const * const Itm, FetchResult &Res); - + public: - - CopyMethod() : pkgAcqMethod("1.0",SingleInstance | SendConfig) {}; -}; -void CopyMethod::CalculateHashes(FetchItem const * const Itm, FetchResult &Res) -{ - Hashes Hash(Itm->ExpectedHashes); - FileFd Fd(Res.Filename, FileFd::ReadOnly); - Hash.AddFD(Fd); - Res.TakeHashes(Hash); -} + CopyMethod() : aptMethod("copy", "1.0",SingleInstance | SendConfig) {}; +}; // CopyMethod::Fetch - Fetch a file /*{{{*/ // --------------------------------------------------------------------- @@ -76,12 +68,7 @@ bool CopyMethod::Fetch(FetchItem *Itm) FileFd From(File,FileFd::ReadOnly); FileFd To(Itm->DestFile,FileFd::WriteAtomic); To.EraseOnFailure(); - if (_error->PendingError() == true) - { - To.OpFail(); - return false; - } - + // Copy the file if (CopyFile(From,To) == false) { @@ -101,7 +88,6 @@ bool CopyMethod::Fetch(FetchItem *Itm) return _error->Errno("utimes",_("Failed to set modification time")); CalculateHashes(Itm, Res); - URIDone(Res); return true; } diff --git a/methods/file.cc b/methods/file.cc index 8a087c36d..4e3410078 100644 --- a/methods/file.cc +++ b/methods/file.cc @@ -21,6 +21,7 @@ #include #include #include +#include "aptmethod.h" #include #include @@ -28,24 +29,13 @@ #include /*}}}*/ -class FileMethod : public pkgAcqMethod +class FileMethod : public aptMethod { virtual bool Fetch(FetchItem *Itm) APT_OVERRIDE; - virtual bool Configuration(std::string Message) APT_OVERRIDE; public: - - FileMethod() : pkgAcqMethod("1.0",SingleInstance | SendConfig | LocalOnly) {}; + FileMethod() : aptMethod("file", "1.0", SingleInstance | SendConfig | LocalOnly) {}; }; -bool FileMethod::Configuration(std::string Message) -{ - if (pkgAcqMethod::Configuration(Message) == false) - return false; - - DropPrivsOrDie(); - - return true; -} // FileMethod::Fetch - Fetch a file /*{{{*/ // --------------------------------------------------------------------- @@ -78,6 +68,7 @@ bool FileMethod::Fetch(FetchItem *Itm) if (Res.IMSHit != true) RemoveFile("file", Itm->DestFile); + int olderrno = 0; // See if the file exists if (stat(File.c_str(),&Buf) == 0) { @@ -92,11 +83,10 @@ bool FileMethod::Fetch(FetchItem *Itm) Res.IMSHit = true; } - Hashes Hash(Itm->ExpectedHashes); - FileFd Fd(File, FileFd::ReadOnly); - Hash.AddFD(Fd); - Res.TakeHashes(Hash); + CalculateHashes(Itm, Res); } + else + olderrno = errno; if (Res.IMSHit == false) URIStart(Res); @@ -128,7 +118,10 @@ bool FileMethod::Fetch(FetchItem *Itm) else if (Res.Filename.empty() == false) URIDone(Res); else - return _error->Error(_("File not found")); + { + errno = olderrno; + return _error->Errno(File.c_str(), _("File not found")); + } return true; } diff --git a/test/integration/test-apt-get-download b/test/integration/test-apt-get-download index 25c8b7761..5c42c7e3c 100755 --- a/test/integration/test-apt-get-download +++ b/test/integration/test-apt-get-download @@ -12,10 +12,9 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable' buildsimplenativepackage 'apt' 'all' '2.0' 'unstable' insertinstalledpackage 'vrms' 'all' '1.0' -OLD_UMASK="$(umask)" +addtrap 'prefix' "umask $(umask);" umask 0027 setupaptarchive --no-update -umask "$OLD_UMASK" # directories should be readable by everyone find aptarchive/dists -type d | while read dir; do @@ -30,18 +29,34 @@ done find aptarchive/dists -name '*Release*' -type f | while read file; do testaccessrights "$file" '640' done - +if [ "$(id -u)" = '0' ]; then + # permission errors an everything + testfailure aptget update + + find aptarchive/dists -name '*Packages*' -type f | while read file; do + chmod 777 "$file" + done + # permission errors on Release + testwarning aptget update +fi + +#everything (too) permissive +find aptarchive/ -type f | while read file; do + chmod 777 "$file" +done +find incoming/ -type f | while read file; do + chmod 777 "$file" +done testsuccess aptget update testdownload() { - local APT="$2" - if [ -n "$3" ]; then - APT="${APT}/${3}" - fi - msgtest "Test download of package file $1 with" "$APT" - testsuccess --nomsg aptget download ${APT} -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 - testsuccess test -f "$1" - rm -f "$1" + local DEB="$1" + shift + msgtest "Test download of package file $DEB with" "$@" + testsuccess --nomsg aptget download "$@" -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 + testsuccess test -f "$DEB" + testaccessrights "$DEB" '644' + rm -f "$DEB" } # normal case as "root" @@ -60,7 +75,7 @@ OLDPWD="$(pwd)" cd downloaded # normal case(es) -testdownload apt_1.0_all.deb apt stable +testdownload apt_1.0_all.deb apt/stable testdownload apt_2.0_all.deb apt DEBFILE="$(readlink -f ../aptarchive)/pool/apt_2.0_all.deb" @@ -72,30 +87,33 @@ testequal "E: Can't find a source to download version '1.0' of 'vrms:i386'" aptg # deb:736962 testsuccess aptget download apt +testsuccess test -s apt_2.0_all.deb +testaccessrights 'apt_2.0_all.deb' '644' testsuccess aptget download apt testsuccess test -s apt_2.0_all.deb +testaccessrights 'apt_2.0_all.deb' '644' rm -f apt_1.0_all.deb apt_2.0_all.deb # deb:738103 -testsuccess aptget download apt apt apt/unstable apt=2.0 -testsuccess test -s apt_2.0_all.deb +testdownload apt_2.0_all.deb apt apt apt/unstable apt=2.0 +# FIXME: pick up already downloaded deb files for real # restore "root" rights -cd "$OLDPWD" -chmod -f -R +w "$PWD/rootdir/var/cache/apt/archives" -rm -rf rootdir/var/cache/apt/archives/ +#cd "$OLDPWD" +#chmod -f -R +w "$PWD/rootdir/var/cache/apt/archives" +#rm -rf rootdir/var/cache/apt/archives/ # file: debs aren't copied to archives, so change to http which obviously are -changetowebserver -testsuccess aptget update +#changetowebserver +#testsuccess aptget update # test with already stored deb -testsuccess aptget install -d apt -testsuccess test -s rootdir/var/cache/apt/archives/apt_2.0_all.deb -testaccessrights 'aptarchive/pool/apt_2.0_all.deb' '644' -mv aptarchive/pool/apt_2.0_all.deb aptarchive/pool/apt_2.0_all.deb.gone -cd downloaded -testdownload apt_2.0_all.deb apt -cd "$OLDPWD" -mv aptarchive/pool/apt_2.0_all.deb.gone aptarchive/pool/apt_2.0_all.deb +#testsuccess aptget install -d apt +#testsuccess test -s rootdir/var/cache/apt/archives/apt_2.0_all.deb +#testaccessrights 'rootdir/var/cache/apt/archives/apt_2.0_all.deb' '644' +#mv aptarchive/pool/apt_2.0_all.deb aptarchive/pool/apt_2.0_all.deb.gone +#cd downloaded +#testdownload apt_2.0_all.deb apt +#cd "$OLDPWD" +#mv aptarchive/pool/apt_2.0_all.deb.gone aptarchive/pool/apt_2.0_all.deb diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index 435828292..b247c1ba9 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -19,13 +19,14 @@ setupaptarchive --no-update APTARCHIVE="$(readlink -f ./aptarchive)" find "$APTARCHIVE/dists/unstable" -name '*Release*' -delete +echo 'Acquire::Progress::Ignore::ShowErrorText "false";' > rootdir/etc/apt/apt.conf.d/99show-no-ignore-errors.conf + # update without authenticated files leads to warning testfailureequal "Get:1 file:$APTARCHIVE unstable InRelease Ign:1 file:$APTARCHIVE unstable InRelease - File not found Get:2 file:$APTARCHIVE unstable Release Err:2 file:$APTARCHIVE unstable Release - File not found + File not found - ${APTARCHIVE}/dists/unstable/Release (2: No such file or directory) Reading package lists... E: The repository 'file:$APTARCHIVE unstable Release' does not have a Release file. N: Updating such a repository securily is impossible and therefore disabled by default. @@ -46,46 +47,32 @@ filesize() { #exit testwarningequal "Get:1 file:$APTARCHIVE unstable InRelease Ign:1 file:$APTARCHIVE unstable InRelease - File not found Get:2 file:$APTARCHIVE unstable Release Ign:2 file:$APTARCHIVE unstable Release - File not found Get:3 file:$APTARCHIVE unstable/main Sources Ign:3 file:$APTARCHIVE unstable/main Sources - File not found Get:4 file:$APTARCHIVE unstable/main i386 Packages Ign:4 file:$APTARCHIVE unstable/main i386 Packages - File not found Get:5 file:$APTARCHIVE unstable/main all Packages Ign:5 file:$APTARCHIVE unstable/main all Packages - File not found Get:6 file:$APTARCHIVE unstable/main Translation-en Ign:6 file:$APTARCHIVE unstable/main Translation-en - File not found Get:3 file:$APTARCHIVE unstable/main Sources Ign:3 file:$APTARCHIVE unstable/main Sources - File not found Get:4 file:$APTARCHIVE unstable/main i386 Packages Ign:4 file:$APTARCHIVE unstable/main i386 Packages - File not found Get:5 file:$APTARCHIVE unstable/main all Packages Ign:5 file:$APTARCHIVE unstable/main all Packages - File not found Get:6 file:$APTARCHIVE unstable/main Translation-en Ign:6 file:$APTARCHIVE unstable/main Translation-en - File not found Get:3 file:$APTARCHIVE unstable/main Sources Ign:3 file:$APTARCHIVE unstable/main Sources - File not found Get:4 file:$APTARCHIVE unstable/main i386 Packages Ign:4 file:$APTARCHIVE unstable/main i386 Packages - File not found Get:5 file:$APTARCHIVE unstable/main all Packages Ign:5 file:$APTARCHIVE unstable/main all Packages - File not found Get:6 file:$APTARCHIVE unstable/main Translation-en Ign:6 file:$APTARCHIVE unstable/main Translation-en - File not found Get:3 file:$APTARCHIVE unstable/main Sources [$(filesize 'Sources') B] Get:4 file:$APTARCHIVE unstable/main i386 Packages [$(filesize 'Packages' 'Architecture: i386') B] Get:5 file:$APTARCHIVE unstable/main all Packages [$(filesize 'Packages' 'Architecture: all') B] diff --git a/test/integration/test-apt-update-failure-propagation b/test/integration/test-apt-update-failure-propagation index eda9cff99..f144e9968 100755 --- a/test/integration/test-apt-update-failure-propagation +++ b/test/integration/test-apt-update-failure-propagation @@ -87,6 +87,8 @@ for FILE in rootdir/etc/apt/sources.list.d/*-stable-* ; do # lets see how many testservers run also Doom sed -i -e "s#:${APTHTTPSPORT}/#:666/#" "$FILE" done -testwarningmsg "W: Failed to fetch https://localhost:666/dists/stable/InRelease Failed to connect to localhost port 666: Connection refused -W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update +testwarning aptget update +testequalor2 "W: Failed to fetch https://localhost:666/dists/stable/InRelease Failed to connect to localhost port 666: Connection refused +W: Some index files failed to download. They have been ignored, or old ones used instead." "W: Failed to fetch https://localhost:666/dists/stable/InRelease couldn't connect to host +W: Some index files failed to download. They have been ignored, or old ones used instead." tail -n 2 rootdir/tmp/testwarning.output posttest diff --git a/test/integration/test-apt-update-file b/test/integration/test-apt-update-file index c6e07f8b6..04e26a8f4 100755 --- a/test/integration/test-apt-update-file +++ b/test/integration/test-apt-update-file @@ -19,9 +19,12 @@ insertsource 'unstable' 'foo' 'all' '1' setupaptarchive --no-update # ensure the archive is not writable -addtrap 'prefix' 'chmod 750 aptarchive/dists/unstable/main/binary-all;' -chmod 550 aptarchive/dists/unstable/main/binary-all - +addtrap 'prefix' 'chmod 755 aptarchive/dists/unstable/main/binary-all;' +if [ "$(id -u)" = '0' ]; then + chmod 550 aptarchive/dists/unstable/main/binary-all + testfailure aptget update +fi +chmod 555 aptarchive/dists/unstable/main/binary-all testsuccess aptget update # the release files aren't an IMS-hit, but the indexes are -- cgit v1.2.3