From 4d8afc4aa5bfd40f1b3ac17d29f273e16b42bdd2 Mon Sep 17 00:00:00 2001 From: Oliver Smith Date: Fri, 30 Mar 2018 21:46:31 +0000 Subject: [PATCH] Fix: /var/cache/distfiles writable by everyone (#1329) As noted in commit 255c7156244d990ff63ff73fed0e99ddcc5d9458 `/var/cache/distfiles` is writable by everyone. It is supposed to be writable only by `root` and by the `abuild` group (in which we put the `pmos` user already for building packages). Changes: * `pmb.build.init()`: make `/var/cache/distfiles` writable only by members of the `abuild` group (and root) * Increase workfolder version to 2 * Add migration code that fixes the permissions for existing work folders * Refactor the migration code a bit to make this possible --- pmb/build/init.py | 4 +++- pmb/config/__init__.py | 2 +- pmb/config/init.py | 2 +- pmb/helpers/other.py | 51 ++++++++++++++++++++++++++++++------------ 4 files changed, 42 insertions(+), 17 deletions(-) diff --git a/pmb/build/init.py b/pmb/build/init.py index bf967aa6..9a572e32 100644 --- a/pmb/build/init.py +++ b/pmb/build/init.py @@ -38,7 +38,9 @@ def init(args, suffix="native"): build=False) # Fix permissions - pmb.chroot.root(args, ["chmod", "-R", "a+rw", + pmb.chroot.root(args, ["chown", "root:abuild", + "/var/cache/distfiles"], suffix) + pmb.chroot.root(args, ["chmod", "g+w", "/var/cache/distfiles"], suffix) # Generate package signing keys diff --git a/pmb/config/__init__.py b/pmb/config/__init__.py index 39a50ee7..93ea4a6d 100644 --- a/pmb/config/__init__.py +++ b/pmb/config/__init__.py @@ -42,7 +42,7 @@ apk_tools_static_min_version = "2.9.0-r0" # Version of the work folder (as asked during 'pmbootstrap init'). Increase # this number, whenever migration is required and provide the migration code, # see migrate_work_folder()). -work_version = "1" +work_version = 2 # Only save keys to the config file, which we ask for in 'pmbootstrap init'. config_keys = ["ccache_size", "device", "extra_packages", "hostname", "jobs", diff --git a/pmb/config/init.py b/pmb/config/init.py index 1996e078..d7337ebd 100644 --- a/pmb/config/init.py +++ b/pmb/config/init.py @@ -57,7 +57,7 @@ def ask_for_work_path(args): if not os.path.exists(ret): os.makedirs(ret, 0o700, True) with open(ret + "/version", "w") as handle: - handle.write(pmb.config.work_version + "\n") + handle.write(str(pmb.config.work_version) + "\n") # Make sure, that we can write into it os.makedirs(ret + "/cache_http", 0o700, True) diff --git a/pmb/helpers/other.py b/pmb/helpers/other.py index 4fdf28bf..239a843e 100644 --- a/pmb/helpers/other.py +++ b/pmb/helpers/other.py @@ -79,29 +79,30 @@ def check_binfmt_misc(args): " armhf on x86_64):\n See: <" + link + ">") -def migrate_success(args): - logging.info("Migration done") +def migrate_success(args, version): + logging.info("Migration to version " + str(version) + " done") with open(args.work + "/version", "w") as handle: - handle.write(pmb.config.work_version + "\n") + handle.write(str(version) + "\n") def migrate_work_folder(args): # Read current version - current = "0" + current = 0 path = args.work + "/version" if os.path.exists(path): with open(path, "r") as f: - current = f.read().rstrip() + current = int(f.read().rstrip()) # Compare version, print warning or do nothing required = pmb.config.work_version if current == required: return logging.info("WARNING: Your work folder version needs to be migrated" - " (from version " + current + " to " + required + ")!") + " (from version " + str(current) + " to " + str(required) + + ")!") # 0 => 1 - if current == "0" and required == "1": + if current == 0: # Ask for confirmation logging.info("Changelog:") logging.info("* Building chroots have a different username: " @@ -119,15 +120,37 @@ def migrate_work_folder(args): pmb.helpers.run.root(args, ["sed", "-i", "s./home/user/./home/pmos/.g", conf]) # Update version file - migrate_success(args) - return + migrate_success(args, 1) + current = 1 + + # 1 => 2 + if current == 1: + # Ask for confirmation + logging.info("Changelog:") + logging.info("* Fix: cache_distfiles was writable for everyone") + logging.info("Migration will do the following:") + logging.info("* Fix permissions of '" + args.work + + "/cache_distfiles'") + if not pmb.helpers.cli.confirm(args): + raise RuntimeError("Aborted.") + + # Fix permissions + dir = "/var/cache/distfiles" + for cmd in [["chown", "-R", "root:abuild", dir], + ["chmod", "-R", "664", dir], + ["chmod", "a+X", dir]]: + pmb.chroot.root(args, cmd) + migrate_success(args, 2) + current = 2 # Can't migrate, user must delete it - raise RuntimeError("Sorry, we can't migrate that automatically. Please run" - " 'pmbootstrap shutdown', then delete your current work" - " folder manually ('sudo rm -rf " + args.work + - "') and start over with 'pmbootstrap init'. All your" - " binary packages will be lost.") + if current != required: + raise RuntimeError("Sorry, we can't migrate that automatically. Please" + " run 'pmbootstrap shutdown', then delete your" + " current work folder manually ('sudo rm -rf " + + args.work + "') and start over with 'pmbootstrap" + " init'. All your binary packages and caches will" + " be lost.") def validate_hostname(hostname):