Fix: /var/cache/distfiles writable by everyone (#1329)
As noted in commit 255c715624
`/var/cache/distfiles` is writable by everyone. It is supposed to be
writable only by `root` and by the `abuild` group (in which we put the
`pmos` user already for building packages).
Changes:
* `pmb.build.init()`: make `/var/cache/distfiles` writable only by
members of the `abuild` group (and root)
* Increase workfolder version to 2
* Add migration code that fixes the permissions for existing work
folders
* Refactor the migration code a bit to make this possible
This commit is contained in:
parent
40db17d775
commit
4d8afc4aa5
|
@ -38,7 +38,9 @@ def init(args, suffix="native"):
|
|||
build=False)
|
||||
|
||||
# Fix permissions
|
||||
pmb.chroot.root(args, ["chmod", "-R", "a+rw",
|
||||
pmb.chroot.root(args, ["chown", "root:abuild",
|
||||
"/var/cache/distfiles"], suffix)
|
||||
pmb.chroot.root(args, ["chmod", "g+w",
|
||||
"/var/cache/distfiles"], suffix)
|
||||
|
||||
# Generate package signing keys
|
||||
|
|
|
@ -42,7 +42,7 @@ apk_tools_static_min_version = "2.9.0-r0"
|
|||
# Version of the work folder (as asked during 'pmbootstrap init'). Increase
|
||||
# this number, whenever migration is required and provide the migration code,
|
||||
# see migrate_work_folder()).
|
||||
work_version = "1"
|
||||
work_version = 2
|
||||
|
||||
# Only save keys to the config file, which we ask for in 'pmbootstrap init'.
|
||||
config_keys = ["ccache_size", "device", "extra_packages", "hostname", "jobs",
|
||||
|
|
|
@ -57,7 +57,7 @@ def ask_for_work_path(args):
|
|||
if not os.path.exists(ret):
|
||||
os.makedirs(ret, 0o700, True)
|
||||
with open(ret + "/version", "w") as handle:
|
||||
handle.write(pmb.config.work_version + "\n")
|
||||
handle.write(str(pmb.config.work_version) + "\n")
|
||||
|
||||
# Make sure, that we can write into it
|
||||
os.makedirs(ret + "/cache_http", 0o700, True)
|
||||
|
|
|
@ -79,29 +79,30 @@ def check_binfmt_misc(args):
|
|||
" armhf on x86_64):\n See: <" + link + ">")
|
||||
|
||||
|
||||
def migrate_success(args):
|
||||
logging.info("Migration done")
|
||||
def migrate_success(args, version):
|
||||
logging.info("Migration to version " + str(version) + " done")
|
||||
with open(args.work + "/version", "w") as handle:
|
||||
handle.write(pmb.config.work_version + "\n")
|
||||
handle.write(str(version) + "\n")
|
||||
|
||||
|
||||
def migrate_work_folder(args):
|
||||
# Read current version
|
||||
current = "0"
|
||||
current = 0
|
||||
path = args.work + "/version"
|
||||
if os.path.exists(path):
|
||||
with open(path, "r") as f:
|
||||
current = f.read().rstrip()
|
||||
current = int(f.read().rstrip())
|
||||
|
||||
# Compare version, print warning or do nothing
|
||||
required = pmb.config.work_version
|
||||
if current == required:
|
||||
return
|
||||
logging.info("WARNING: Your work folder version needs to be migrated"
|
||||
" (from version " + current + " to " + required + ")!")
|
||||
" (from version " + str(current) + " to " + str(required) +
|
||||
")!")
|
||||
|
||||
# 0 => 1
|
||||
if current == "0" and required == "1":
|
||||
if current == 0:
|
||||
# Ask for confirmation
|
||||
logging.info("Changelog:")
|
||||
logging.info("* Building chroots have a different username: "
|
||||
|
@ -119,15 +120,37 @@ def migrate_work_folder(args):
|
|||
pmb.helpers.run.root(args, ["sed", "-i",
|
||||
"s./home/user/./home/pmos/.g", conf])
|
||||
# Update version file
|
||||
migrate_success(args)
|
||||
return
|
||||
migrate_success(args, 1)
|
||||
current = 1
|
||||
|
||||
# 1 => 2
|
||||
if current == 1:
|
||||
# Ask for confirmation
|
||||
logging.info("Changelog:")
|
||||
logging.info("* Fix: cache_distfiles was writable for everyone")
|
||||
logging.info("Migration will do the following:")
|
||||
logging.info("* Fix permissions of '" + args.work +
|
||||
"/cache_distfiles'")
|
||||
if not pmb.helpers.cli.confirm(args):
|
||||
raise RuntimeError("Aborted.")
|
||||
|
||||
# Fix permissions
|
||||
dir = "/var/cache/distfiles"
|
||||
for cmd in [["chown", "-R", "root:abuild", dir],
|
||||
["chmod", "-R", "664", dir],
|
||||
["chmod", "a+X", dir]]:
|
||||
pmb.chroot.root(args, cmd)
|
||||
migrate_success(args, 2)
|
||||
current = 2
|
||||
|
||||
# Can't migrate, user must delete it
|
||||
raise RuntimeError("Sorry, we can't migrate that automatically. Please run"
|
||||
" 'pmbootstrap shutdown', then delete your current work"
|
||||
" folder manually ('sudo rm -rf " + args.work +
|
||||
"') and start over with 'pmbootstrap init'. All your"
|
||||
" binary packages will be lost.")
|
||||
if current != required:
|
||||
raise RuntimeError("Sorry, we can't migrate that automatically. Please"
|
||||
" run 'pmbootstrap shutdown', then delete your"
|
||||
" current work folder manually ('sudo rm -rf " +
|
||||
args.work + "') and start over with 'pmbootstrap"
|
||||
" init'. All your binary packages and caches will"
|
||||
" be lost.")
|
||||
|
||||
|
||||
def validate_hostname(hostname):
|
||||
|
|
Loading…
Reference in New Issue