Commit ddd77222 authored by Arnaud Fontaine's avatar Arnaud Fontaine

Sanitize environment variables as early as possible.

For example, on Mandriva, if SECURE_TMP is enabled (in /etc/security/shell),
then TMP/TMPDIR are set to $HOME/tmp but $HOME is only accessible by the owner
and its group, but not slap user, then the extends-cache temporary directory
will not be accessible after dropping the privileges.
parent 98cd93b5
...@@ -70,12 +70,13 @@ class Software(object): ...@@ -70,12 +70,13 @@ class Software(object):
it. If it fails, we notify the server. it. If it fails, we notify the server.
""" """
self.logger.info("Installing software release %s..." % self.url) self.logger.info("Installing software release %s..." % self.url)
root_stat_info = os.stat(self.software_root)
os.environ = getCleanEnvironment(pwd.getpwuid(root_stat_info.st_uid).pw_dir)
if not os.path.isdir(self.software_path): if not os.path.isdir(self.software_path):
os.mkdir(self.software_path) os.mkdir(self.software_path)
extends_cache = tempfile.mkdtemp() extends_cache = tempfile.mkdtemp()
if os.getuid() == 0: if os.getuid() == 0:
# In case when running as root copy ownership, to simplify logic # In case when running as root copy ownership, to simplify logic
root_stat_info = os.stat(self.software_root)
for path in [self.software_path, extends_cache]: for path in [self.software_path, extends_cache]:
path_stat_info = os.stat(path) path_stat_info = os.stat(path)
if root_stat_info.st_uid != path_stat_info.st_uid or\ if root_stat_info.st_uid != path_stat_info.st_uid or\
...@@ -200,13 +201,15 @@ class Partition(object): ...@@ -200,13 +201,15 @@ class Partition(object):
if not os.path.isdir(self.instance_path): if not os.path.isdir(self.instance_path):
raise PathDoesNotExistError('Please create partition directory %s' raise PathDoesNotExistError('Please create partition directory %s'
% self.instance_path) % self.instance_path)
permission = oct(stat.S_IMODE(os.stat(self.instance_path).st_mode)) instance_stat_info = os.stat(self.instance_path)
permission = oct(stat.S_IMODE(instance_stat_info.st_mode))
if permission != REQUIRED_COMPUTER_PARTITION_PERMISSION: if permission != REQUIRED_COMPUTER_PARTITION_PERMISSION:
raise WrongPermissionError('Wrong permissions in %s : actual ' \ raise WrongPermissionError('Wrong permissions in %s : actual ' \
'permissions are : %s, wanted ' \ 'permissions are : %s, wanted ' \
'are %s' % 'are %s' %
(self.instance_path, permission, (self.instance_path, permission,
REQUIRED_COMPUTER_PARTITION_PERMISSION)) REQUIRED_COMPUTER_PARTITION_PERMISSION))
os.environ = getCleanEnvironment(pwd.getpwuid(instance_stat_info.st_uid).pw_dir)
# Generates buildout part from template # Generates buildout part from template
# TODO how to fetch the good template? Naming conventions? # TODO how to fetch the good template? Naming conventions?
template_location = os.path.join(self.software_path, 'template.cfg') template_location = os.path.join(self.software_path, 'template.cfg')
......
...@@ -259,9 +259,7 @@ def bootstrapBuildout(path, buildout=None, ...@@ -259,9 +259,7 @@ def bootstrapBuildout(path, buildout=None,
kw.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT) kw.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
process_handler = SlapPopen(invocation_list, process_handler = SlapPopen(invocation_list,
preexec_fn=lambda: dropPrivileges(uid, gid), preexec_fn=lambda: dropPrivileges(uid, gid),
cwd=path, env=getCleanEnvironment(pwd.getpwuid(uid).pw_dir), cwd=path, **kw)
**kw
)
result = process_handler.communicate()[0] result = process_handler.communicate()[0]
if console: if console:
result = 'Please consult messages above' result = 'Please consult messages above'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment