From 460601d53039b1d1b5688a8cd58bae10fb746f57 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 15 Oct 2014 02:43:44 +0200
Subject: don't drop privileges if _apt has not enough rights
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Privilege dropping breaks download/source/changelog commands as they
require the _apt user to have write permissions in the current directory,
which is e.g. the case in /tmp, but not in /root, so we disable the
privilege dropping if we deal with such a directory based on idea and
code by Michael Vogt.

The alternative would be to download always to a temp directory and move
it then done, but this breaks partial file support. To resolve this, we
could move to one of our partial/ directories, but this would require a
lock which would block root from using two of these commands in
parallel. As both seems unacceptable we instead let the user choose what
to do: Either a directory is setupped for _apt, downloading as root is
accepted or – which is potentially even better – an unprivileged user is
used for the commands.
---
 apt-private/private-download.cc | 50 ++++++++++++++++++++++++++++++++++++++++-
 apt-private/private-download.h  |  6 ++++-
 cmdline/apt-get.cc              | 19 +++++++++++-----
 cmdline/apt-helper.cc           |  5 ++++-
 4 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/apt-private/private-download.cc b/apt-private/private-download.cc
index be7d23c31..3ded9e0b9 100644
--- a/apt-private/private-download.cc
+++ b/apt-private/private-download.cc
@@ -5,6 +5,7 @@
 #include <apt-pkg/acquire-item.h>
 #include <apt-pkg/configuration.h>
 #include <apt-pkg/error.h>
+#include <apt-pkg/fileutl.h>
 #include <apt-pkg/strutl.h>
 
 #include <apt-private/private-output.h>
@@ -14,9 +15,56 @@
 #include <string>
 #include <vector>
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <fcntl.h>
+
 #include <apti18n.h>
 									/*}}}*/
 
+bool CheckDropPrivsMustBeDisabled(pkgAcquire &Fetcher)			/*{{{*/
+{
+   // no need/possibility to drop privs
+   if(getuid() != 0)
+      return true;
+
+   // the user does not want to drop privs
+   std::string SandboxUser = _config->Find("APT::Sandbox::User");
+   if (SandboxUser.empty())
+      return true;
+
+   struct passwd const * const pw = getpwnam(SandboxUser.c_str());
+   if (pw == NULL)
+      return true;
+
+   if (seteuid(pw->pw_uid) != 0)
+      return _error->Errno("seteuid", "seteuid %u failed", pw->pw_uid);
+
+   bool res = true;
+   // check if we can write to destfile
+   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin();
+	I != Fetcher.ItemsEnd() && res == true; ++I)
+   {
+      int fd = open((*I)->DestFile.c_str(), O_CREAT | O_RDWR, 0600);
+      if (fd < 0)
+      {
+	 res = false;
+	 std::string msg;
+	 strprintf(msg, _("Can't drop privileges for downloading as file '%s' couldn't be accessed by user '%s'."),
+	       (*I)->DestFile.c_str(), SandboxUser.c_str());
+	 c0out << msg << std::endl;
+	 _config->Set("APT::Sandbox::User", "");
+      }
+      close(fd);
+   }
+
+   if (seteuid(0) != 0)
+      return _error->Errno("seteuid", "seteuid %u failed", 0);
+
+   return res;
+}
+									/*}}}*/
 // CheckAuth - check if each download comes form a trusted source	/*{{{*/
 bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser)
 {
@@ -31,7 +79,7 @@ bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser)
    return AuthPrompt(UntrustedList, PromptUser);
 }
 
-bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
+bool AuthPrompt(std::string const &UntrustedList, bool const PromptUser)
 {
    ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
 
diff --git a/apt-private/private-download.h b/apt-private/private-download.h
index a90ac7eaa..809650a97 100644
--- a/apt-private/private-download.h
+++ b/apt-private/private-download.h
@@ -3,14 +3,18 @@
 
 #include <apt-pkg/macros.h>
 
+#include <string>
+
 class pkgAcquire;
 
+APT_PUBLIC bool CheckDropPrivsMustBeDisabled(pkgAcquire &Fetcher);
+
 // Check if all files in the fetcher are authenticated
 APT_PUBLIC bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser);
 
 // show a authentication warning prompt and return true if the system
 // should continue
-APT_PUBLIC bool AuthPrompt(std::string UntrustedList, bool const PromptUser);
+APT_PUBLIC bool AuthPrompt(std::string const &UntrustedList, bool const PromptUser);
 
 APT_PUBLIC bool AcquireRun(pkgAcquire &Fetcher, int const PulseInterval, bool * const Failure, bool * const TransientNetworkFailure);
 
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 8448638db..8c0c50f83 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -676,6 +676,9 @@ static bool DoDownload(CommandLine &CmdL)
       return true;
    }
 
+   // Disable drop-privs if "_apt" can not write to the target dir
+   CheckDropPrivsMustBeDisabled(Fetcher);
+
    if (_error->PendingError() == true || CheckAuth(Fetcher, false) == false)
       return false;
 
@@ -858,10 +861,6 @@ static bool DoSource(CommandLine &CmdL)
       }
    }
 
-   // check authentication status of the source as well
-   if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
-      return false;
-   
    // Display statistics
    unsigned long long FetchBytes = Fetcher.FetchNeeded();
    unsigned long long FetchPBytes = Fetcher.PartialPresent();
@@ -908,7 +907,7 @@ static bool DoSource(CommandLine &CmdL)
 	 ioprintf(cout,_("Fetch source %s\n"),Dsc[I].Package.c_str());
       return true;
    }
-   
+
    // Just print out the uris an exit if the --print-uris flag was used
    if (_config->FindB("APT::Get::Print-URIs") == true)
    {
@@ -919,6 +918,13 @@ static bool DoSource(CommandLine &CmdL)
       return true;
    }
 
+   // Disable drop-privs if "_apt" can not write to the target dir
+   CheckDropPrivsMustBeDisabled(Fetcher);
+
+   // check authentication status of the source as well
+   if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
+      return false;
+
    // Run it
    bool Failed = false;
    if (AcquireRun(Fetcher, 0, &Failed, NULL) == false || Failed == true)
@@ -1510,6 +1516,9 @@ static bool DownloadChangelog(CacheFile &CacheFile, pkgAcquire &Fetcher,
    // queue it
    new pkgAcqFile(&Fetcher, changelog_uri, "", 0, descr, Pkg.Name(), "ignored", targetfile);
 
+   // Disable drop-privs if "_apt" can not write to the target dir
+   CheckDropPrivsMustBeDisabled(Fetcher);
+
    // try downloading it, if that fails, try third-party-changelogs location
    // FIXME: Fetcher.Run() is "Continue" even if I get a 404?!?
    Fetcher.Run();
diff --git a/cmdline/apt-helper.cc b/cmdline/apt-helper.cc
index c240008aa..27abb2013 100644
--- a/cmdline/apt-helper.cc
+++ b/cmdline/apt-helper.cc
@@ -59,7 +59,10 @@ static bool DoDownloadFile(CommandLine &CmdL)
    // we use download_uri as descr and targetfile as short-descr
    new pkgAcqFile(&Fetcher, download_uri, hash, 0, download_uri, targetfile, 
                   "dest-dir-ignored", targetfile);
-   Fetcher.Run();
+
+   // Disable drop-privs if "_apt" can not write to the target dir
+   CheckDropPrivsMustBeDisabled(Fetcher);
+
    bool Failed = false;
    if (AcquireRun(Fetcher, 0, &Failed, NULL) == false || Failed == true ||
 	 FileExists(targetfile) == false)
-- 
cgit v1.2.3