From b515fe3a0012c1f155dbf6a4199e919fec102578 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 2 Jun 2016 11:12:39 +0200 Subject: apt-key: change to / before find to satisfy its CWD needs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First seen on hurd, but easily reproducible on all systems by removing the 'execution' bit from the current working directory and watching some tests (mostly the no-output expecting tests) fail due to find printing: "find: Failed to restore initial working directory: …" Samuel Thibault says in the bugreport: | To do its work, find first records the $PWD, then goes to | /etc/apt/trusted.gpg.d/ to find the files, and then goes back to $PWD. | | On Linux, getting $PWD from the 700 directory happens to work by luck | (POSIX says that getcwd can return [EACCES]: Search permission was denied | for the current directory, or read or search permission was denied for a | directory above the current directory in the file hierarchy). And going | back to $PWD fails, and thus find returns 1, but at least it emitted its | output. | | On Hurd, getting $PWD from the 700 directory fails, and find thus aborts | immediately, without emitting any output, and thus no keyring is found. | | So, to summarize, the issue is that since apt-get update runs find as a | non-root user, running it from a 700 directory breaks find. Solved as suggested by changing to '/' before running find, with some paranoia extra care taking to ensure the paths we give to find are really absolute paths first (they really should, but TMPDIR=. or a similar Dir::Etc::trustedparts setting could exist somewhere in the wild). The commit takes also the opportunity to make these lines slightly less error ignoring and the two find calls using (mostly) the same parameters. Thanks: Samuel Thibault for 'finding' the culprit! Closes: 826043 (cherry picked from commit 0cfec3ab589c6309bf284438d2148c7742cdaf10) --- cmdline/apt-key.in | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 3ed2a70ce..4f2bc916b 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -238,12 +238,9 @@ foreach_keyring_do() { local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" eval "$(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)" if [ -d "$TRUSTEDPARTS" ]; then - # strip / suffix as gpg will double-slash in that case (#665411) - local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" - if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then - TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" - fi - for trusted in $(find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -regex '^.*\.gpg$' | sort); do + TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")" + local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg')" + for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do if [ -s "$trusted" ]; then $ACTION "$trusted" "$@" fi @@ -301,7 +298,7 @@ merge_all_trusted_keyrings_into_pubring() { # does the same as: # foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" # but without using gpg, just cat and find - local PUBRING="${GPGHOMEDIR}/pubring.gpg" + local PUBRING="$(readlink -f "${GPGHOMEDIR}/pubring.gpg")" # if a --keyring was given, just use this one if [ -n "$FORCED_KEYRING" ]; then if [ -s "$FORCED_KEYRING" ]; then @@ -312,13 +309,12 @@ merge_all_trusted_keyrings_into_pubring() { local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) if [ -d "$TRUSTEDPARTS" ]; then - # ignore errors mostly for non-existing $TRUSTEDFILE - { - cat "$TRUSTEDFILE" || true - for parts in $(find -L "$TRUSTEDPARTS" -type f -name '*.gpg'); do - cat "$parts" || true - done - } > "$PUBRING" 2>/dev/null + rm -f "$PUBRING" + if [ -s "$TRUSTEDFILE" ]; then + cat "$TRUSTEDFILE" > "$PUBRING" + fi + TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")" + (cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg' -exec cat {} + >> "$PUBRING";) elif [ -s "$TRUSTEDFILE" ]; then cp --dereference "$TRUSTEDFILE" "$PUBRING" fi -- cgit v1.2.3