Commit 67487f94 authored by Łukasz Nowak's avatar Łukasz Nowak

Lockdown partition on PATH level.

As PATH is used to implicitly find binaries, restricting to partition's
PATH will disallow accessing any other resources.
parent ab576714
...@@ -647,8 +647,7 @@ class Recipe(BaseSlapRecipe): ...@@ -647,8 +647,7 @@ class Recipe(BaseSlapRecipe):
zope_config['products'] = '\n'.join(prefixed_products) zope_config['products'] = '\n'.join(prefixed_products)
zope_config['address'] = '%s:%s' % (ip, port) zope_config['address'] = '%s:%s' % (ip, port)
zope_config['tmp_directory'] = self.tmp_directory zope_config['tmp_directory'] = self.tmp_directory
zope_config['path'] = ':'.join([self.bin_directory] + zope_config['path'] = self.bin_directory
os.environ['PATH'].split(':'))
zope_wrapper_template_location = self.getTemplateFilename('zope.conf.in') zope_wrapper_template_location = self.getTemplateFilename('zope.conf.in')
zope_conf_content = self.substituteTemplate( zope_conf_content = self.substituteTemplate(
...@@ -837,8 +836,7 @@ SSLRandomSeed connect builtin ...@@ -837,8 +836,7 @@ SSLRandomSeed connect builtin
self.options['innobackupex_binary'], self.options['innobackupex_binary'],
'--defaults-file=%s' % mysql_conf_path, '--defaults-file=%s' % mysql_conf_path,
'--socket=%s' %mysql_conf['socket'].strip(), '--user=root'] '--socket=%s' %mysql_conf['socket'].strip(), '--user=root']
environment = dict( environment = dict(PATH='%s' % self.bin_directory)
PATH=':'.join([self.bin_directory] + os.environ['PATH'].split(':')))
innobackupex_incremental = zc.buildout.easy_install.scripts([( innobackupex_incremental = zc.buildout.easy_install.scripts([(
'innobackupex_incremental', __name__ + '.execute', 'executee')], 'innobackupex_incremental', __name__ + '.execute', 'executee')],
self.ws, sys.executable, self.bin_directory, arguments=[ self.ws, sys.executable, self.bin_directory, arguments=[
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment