From 460601d53039b1d1b5688a8cd58bae10fb746f57 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 15 Oct 2014 02:43:44 +0200 Subject: don't drop privileges if _apt has not enough rights MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Privilege dropping breaks download/source/changelog commands as they require the _apt user to have write permissions in the current directory, which is e.g. the case in /tmp, but not in /root, so we disable the privilege dropping if we deal with such a directory based on idea and code by Michael Vogt. The alternative would be to download always to a temp directory and move it then done, but this breaks partial file support. To resolve this, we could move to one of our partial/ directories, but this would require a lock which would block root from using two of these commands in parallel. As both seems unacceptable we instead let the user choose what to do: Either a directory is setupped for _apt, downloading as root is accepted or – which is potentially even better – an unprivileged user is used for the commands. --- apt-private/private-download.cc | 50 ++++++++++++++++++++++++++++++++++++++++- apt-private/private-download.h | 6 ++++- 2 files changed, 54 insertions(+), 2 deletions(-) (limited to 'apt-private') diff --git a/apt-private/private-download.cc b/apt-private/private-download.cc index be7d23c31..3ded9e0b9 100644 --- a/apt-private/private-download.cc +++ b/apt-private/private-download.cc @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -14,9 +15,56 @@ #include #include +#include +#include +#include +#include + #include /*}}}*/ +bool CheckDropPrivsMustBeDisabled(pkgAcquire &Fetcher) /*{{{*/ +{ + // no need/possibility to drop privs + if(getuid() != 0) + return true; + + // the user does not want to drop privs + std::string SandboxUser = _config->Find("APT::Sandbox::User"); + if (SandboxUser.empty()) + return true; + + struct passwd const * const pw = getpwnam(SandboxUser.c_str()); + if (pw == NULL) + return true; + + if (seteuid(pw->pw_uid) != 0) + return _error->Errno("seteuid", "seteuid %u failed", pw->pw_uid); + + bool res = true; + // check if we can write to destfile + for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); + I != Fetcher.ItemsEnd() && res == true; ++I) + { + int fd = open((*I)->DestFile.c_str(), O_CREAT | O_RDWR, 0600); + if (fd < 0) + { + res = false; + std::string msg; + strprintf(msg, _("Can't drop privileges for downloading as file '%s' couldn't be accessed by user '%s'."), + (*I)->DestFile.c_str(), SandboxUser.c_str()); + c0out << msg << std::endl; + _config->Set("APT::Sandbox::User", ""); + } + close(fd); + } + + if (seteuid(0) != 0) + return _error->Errno("seteuid", "seteuid %u failed", 0); + + return res; +} + /*}}}*/ // CheckAuth - check if each download comes form a trusted source /*{{{*/ bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser) { @@ -31,7 +79,7 @@ bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser) return AuthPrompt(UntrustedList, PromptUser); } -bool AuthPrompt(std::string UntrustedList, bool const PromptUser) +bool AuthPrompt(std::string const &UntrustedList, bool const PromptUser) { ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,""); diff --git a/apt-private/private-download.h b/apt-private/private-download.h index a90ac7eaa..809650a97 100644 --- a/apt-private/private-download.h +++ b/apt-private/private-download.h @@ -3,14 +3,18 @@ #include +#include + class pkgAcquire; +APT_PUBLIC bool CheckDropPrivsMustBeDisabled(pkgAcquire &Fetcher); + // Check if all files in the fetcher are authenticated APT_PUBLIC bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser); // show a authentication warning prompt and return true if the system // should continue -APT_PUBLIC bool AuthPrompt(std::string UntrustedList, bool const PromptUser); +APT_PUBLIC bool AuthPrompt(std::string const &UntrustedList, bool const PromptUser); APT_PUBLIC bool AcquireRun(pkgAcquire &Fetcher, int const PulseInterval, bool * const Failure, bool * const TransientNetworkFailure); -- cgit v1.2.3