From 0934b6b023b46cd0e2e5fa55a23a054b2feeb618 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Sun, 22 Oct 2017 19:02:53 +0200 Subject: Run the ProxyAutoDetect script in the sandbox again The previous change moved running the proxy detection program from the method to the main process, so it runs as root and not as _apt. This brings it back into the sandbox. Gbp-Dch: ignore --- apt-pkg/contrib/fileutl.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'apt-pkg/contrib/fileutl.cc') diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 72813f4c3..6cc7414b0 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -2912,6 +2912,11 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode)/ } /*}}}*/ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode, bool CaptureStderr)/*{{{*/ +{ + return Popen(Args, Fd, Child, Mode, CaptureStderr, false); +} + /*}}}*/ +bool Popen(const char *Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode, bool CaptureStderr, bool Sandbox) /*{{{*/ { int fd; if (Mode != FileFd::ReadOnly && Mode != FileFd::WriteOnly) @@ -2929,6 +2934,11 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode, return _error->Errno("fork", "Failed to fork"); if(Child == 0) { + if (Sandbox && (getuid() == 0 || geteuid() == 0) && !DropPrivileges()) + { + _error->DumpErrors(); + _exit(1); + } if(Mode == FileFd::ReadOnly) { close(Pipe[0]); -- cgit v1.2.3