Fix: /var/cache/distfiles writable by everyone (#1329)
As noted in commit 255c715624
`/var/cache/distfiles` is writable by everyone. It is supposed to be
writable only by `root` and by the `abuild` group (in which we put the
`pmos` user already for building packages).
Changes:
* `pmb.build.init()`: make `/var/cache/distfiles` writable only by
members of the `abuild` group (and root)
* Increase workfolder version to 2
* Add migration code that fixes the permissions for existing work
folders
* Refactor the migration code a bit to make this possible
This commit is contained in:
parent
40db17d775
commit
4d8afc4aa5
|
@ -38,7 +38,9 @@ def init(args, suffix="native"):
|
||||||
build=False)
|
build=False)
|
||||||
|
|
||||||
# Fix permissions
|
# Fix permissions
|
||||||
pmb.chroot.root(args, ["chmod", "-R", "a+rw",
|
pmb.chroot.root(args, ["chown", "root:abuild",
|
||||||
|
"/var/cache/distfiles"], suffix)
|
||||||
|
pmb.chroot.root(args, ["chmod", "g+w",
|
||||||
"/var/cache/distfiles"], suffix)
|
"/var/cache/distfiles"], suffix)
|
||||||
|
|
||||||
# Generate package signing keys
|
# Generate package signing keys
|
||||||
|
|
|
@ -42,7 +42,7 @@ apk_tools_static_min_version = "2.9.0-r0"
|
||||||
# Version of the work folder (as asked during 'pmbootstrap init'). Increase
|
# Version of the work folder (as asked during 'pmbootstrap init'). Increase
|
||||||
# this number, whenever migration is required and provide the migration code,
|
# this number, whenever migration is required and provide the migration code,
|
||||||
# see migrate_work_folder()).
|
# see migrate_work_folder()).
|
||||||
work_version = "1"
|
work_version = 2
|
||||||
|
|
||||||
# Only save keys to the config file, which we ask for in 'pmbootstrap init'.
|
# Only save keys to the config file, which we ask for in 'pmbootstrap init'.
|
||||||
config_keys = ["ccache_size", "device", "extra_packages", "hostname", "jobs",
|
config_keys = ["ccache_size", "device", "extra_packages", "hostname", "jobs",
|
||||||
|
|
|
@ -57,7 +57,7 @@ def ask_for_work_path(args):
|
||||||
if not os.path.exists(ret):
|
if not os.path.exists(ret):
|
||||||
os.makedirs(ret, 0o700, True)
|
os.makedirs(ret, 0o700, True)
|
||||||
with open(ret + "/version", "w") as handle:
|
with open(ret + "/version", "w") as handle:
|
||||||
handle.write(pmb.config.work_version + "\n")
|
handle.write(str(pmb.config.work_version) + "\n")
|
||||||
|
|
||||||
# Make sure, that we can write into it
|
# Make sure, that we can write into it
|
||||||
os.makedirs(ret + "/cache_http", 0o700, True)
|
os.makedirs(ret + "/cache_http", 0o700, True)
|
||||||
|
|
|
@ -79,29 +79,30 @@ def check_binfmt_misc(args):
|
||||||
" armhf on x86_64):\n See: <" + link + ">")
|
" armhf on x86_64):\n See: <" + link + ">")
|
||||||
|
|
||||||
|
|
||||||
def migrate_success(args):
|
def migrate_success(args, version):
|
||||||
logging.info("Migration done")
|
logging.info("Migration to version " + str(version) + " done")
|
||||||
with open(args.work + "/version", "w") as handle:
|
with open(args.work + "/version", "w") as handle:
|
||||||
handle.write(pmb.config.work_version + "\n")
|
handle.write(str(version) + "\n")
|
||||||
|
|
||||||
|
|
||||||
def migrate_work_folder(args):
|
def migrate_work_folder(args):
|
||||||
# Read current version
|
# Read current version
|
||||||
current = "0"
|
current = 0
|
||||||
path = args.work + "/version"
|
path = args.work + "/version"
|
||||||
if os.path.exists(path):
|
if os.path.exists(path):
|
||||||
with open(path, "r") as f:
|
with open(path, "r") as f:
|
||||||
current = f.read().rstrip()
|
current = int(f.read().rstrip())
|
||||||
|
|
||||||
# Compare version, print warning or do nothing
|
# Compare version, print warning or do nothing
|
||||||
required = pmb.config.work_version
|
required = pmb.config.work_version
|
||||||
if current == required:
|
if current == required:
|
||||||
return
|
return
|
||||||
logging.info("WARNING: Your work folder version needs to be migrated"
|
logging.info("WARNING: Your work folder version needs to be migrated"
|
||||||
" (from version " + current + " to " + required + ")!")
|
" (from version " + str(current) + " to " + str(required) +
|
||||||
|
")!")
|
||||||
|
|
||||||
# 0 => 1
|
# 0 => 1
|
||||||
if current == "0" and required == "1":
|
if current == 0:
|
||||||
# Ask for confirmation
|
# Ask for confirmation
|
||||||
logging.info("Changelog:")
|
logging.info("Changelog:")
|
||||||
logging.info("* Building chroots have a different username: "
|
logging.info("* Building chroots have a different username: "
|
||||||
|
@ -119,15 +120,37 @@ def migrate_work_folder(args):
|
||||||
pmb.helpers.run.root(args, ["sed", "-i",
|
pmb.helpers.run.root(args, ["sed", "-i",
|
||||||
"s./home/user/./home/pmos/.g", conf])
|
"s./home/user/./home/pmos/.g", conf])
|
||||||
# Update version file
|
# Update version file
|
||||||
migrate_success(args)
|
migrate_success(args, 1)
|
||||||
return
|
current = 1
|
||||||
|
|
||||||
|
# 1 => 2
|
||||||
|
if current == 1:
|
||||||
|
# Ask for confirmation
|
||||||
|
logging.info("Changelog:")
|
||||||
|
logging.info("* Fix: cache_distfiles was writable for everyone")
|
||||||
|
logging.info("Migration will do the following:")
|
||||||
|
logging.info("* Fix permissions of '" + args.work +
|
||||||
|
"/cache_distfiles'")
|
||||||
|
if not pmb.helpers.cli.confirm(args):
|
||||||
|
raise RuntimeError("Aborted.")
|
||||||
|
|
||||||
|
# Fix permissions
|
||||||
|
dir = "/var/cache/distfiles"
|
||||||
|
for cmd in [["chown", "-R", "root:abuild", dir],
|
||||||
|
["chmod", "-R", "664", dir],
|
||||||
|
["chmod", "a+X", dir]]:
|
||||||
|
pmb.chroot.root(args, cmd)
|
||||||
|
migrate_success(args, 2)
|
||||||
|
current = 2
|
||||||
|
|
||||||
# Can't migrate, user must delete it
|
# Can't migrate, user must delete it
|
||||||
raise RuntimeError("Sorry, we can't migrate that automatically. Please run"
|
if current != required:
|
||||||
" 'pmbootstrap shutdown', then delete your current work"
|
raise RuntimeError("Sorry, we can't migrate that automatically. Please"
|
||||||
" folder manually ('sudo rm -rf " + args.work +
|
" run 'pmbootstrap shutdown', then delete your"
|
||||||
"') and start over with 'pmbootstrap init'. All your"
|
" current work folder manually ('sudo rm -rf " +
|
||||||
" binary packages will be lost.")
|
args.work + "') and start over with 'pmbootstrap"
|
||||||
|
" init'. All your binary packages and caches will"
|
||||||
|
" be lost.")
|
||||||
|
|
||||||
|
|
||||||
def validate_hostname(hostname):
|
def validate_hostname(hostname):
|
||||||
|
|
Loading…
Reference in New Issue