test if TMPDIR is accessible before using

Private temporary directories as created by e.g. libpam-tmpdir are nice,
but they are also very effective in preventing our priviledge dropping
to work as TMPDIR will be set to a directory only root has access to, so
working with it as _apt will fail. We circumvent this by extending our
check for a usable TMPDIR setting by checking access rights.

Closes: 765951

5 files changed, 24 insertions, 6 deletions

diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index c51eee737..47033eadf 100644
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -2066,9 +2066,11 @@ std::string GetTempDir()						/*{{{*/
       tmpdir = P_tmpdir;
 #endif
 
-   // check that tmpdir is set and exists
    struct stat st;
-   if (!tmpdir || strlen(tmpdir) == 0 || stat(tmpdir, &st) != 0)
+   if (!tmpdir || strlen(tmpdir) == 0 || // tmpdir is set
+	 stat(tmpdir, &st) != 0 || (st.st_mode & S_IFDIR) == 0 || // exists and is directory
+	 access(tmpdir, R_OK | W_OK | X_OK) != 0 // current user has rwx access to directory
+      )
       tmpdir = "/tmp";
 
    return string(tmpdir);
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 7a3852ee8..cf0b9a96f 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -384,8 +384,12 @@ if [ "$command" != "help" ]; then
 
     # gpg needs (in different versions more or less) files to function correctly,
     # so we give it its own homedir and generate some valid content for it
-    if [ ! -d "$TMPDIR" ]; then
-        unset TMPDIR
+    if [ -n "$TMPDIR" ]; then
+       # tmpdir is a directory and current user has rwx access to it
+       # same tests as in apt-pkg/contrib/fileutl.cc GetTempDir()
+       if [ ! -d "$TMPDIR" ] || [ ! -r "$TMPDIR" ] || [ ! -w "$TMPDIR" ] || [ ! -x "$TMPDIR" ]; then
+	  unset TMPDIR
+       fi
     fi
     GPGHOMEDIR="$(mktemp -d)"
     CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';"
diff --git a/test/integration/framework b/test/integration/framework
index 9ce300d55..d576712e5 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -176,6 +176,10 @@ addtrap() {
 }
 
 setupenvironment() {
+	# privilege dropping and testing doesn't work if /tmp isn't world-writeable (as e.g. with libpam-tmpdir)
+	if [ -n "$TMPDIR" ] && [ "$(id -u)" = '0' ] && [ "$(stat --format '%a' "$TMPDIR")" != '1777' ]; then
+		unset TMPDIR
+	fi
 	TMPWORKINGDIRECTORY=$(mktemp -d)
 	addtrap "cd /; rm -rf $TMPWORKINGDIRECTORY;"
 	msgninfo "Preparing environment for ${CCMD}$(basename $0)${CINFO} in ${TMPWORKINGDIRECTORY}… "
diff --git a/test/integration/test-bug-604401-files-are-directories b/test/integration/test-bug-604401-files-are-directories
index e6913edcf..fe0ccc783 100755
--- a/test/integration/test-bug-604401-files-are-directories
+++ b/test/integration/test-bug-604401-files-are-directories
@@ -57,7 +57,7 @@ echo 'Package: apt
 Pin: release a=now
 Pin-Value: 1000' > rootdir/etc/apt/good-link.pref
 ln -s rootdir/etc/apt/good-link.pref rootdir/etc/apt/preferences
-test -n "$(aptcache policy | grep 1000)" && msgfail || msgpass
+test -n "$(aptcache policy | grep '1000 ')" && msgfail || msgpass
 rm rootdir/etc/apt/preferences
 
 msgtest "Broken link instead of a file as preferences ignored"
diff --git a/test/libapt/fileutl_test.cc b/test/libapt/fileutl_test.cc
index cdf7ea479..8d47c5098 100644
--- a/test/libapt/fileutl_test.cc
+++ b/test/libapt/fileutl_test.cc
@@ -217,8 +217,16 @@ TEST(FileUtlTest, GetTempDir)
    setenv("TMPDIR", "/not-there-no-really-not", 1);
    EXPECT_EQ("/tmp", GetTempDir());
 
+   // here but not accessible for non-roots
    setenv("TMPDIR", "/usr", 1);
-   EXPECT_EQ("/usr", GetTempDir());
+   EXPECT_EQ("/tmp", GetTempDir());
+
+   // files are no good for tmpdirs, too
+   setenv("TMPDIR", "/dev/null", 1);
+   EXPECT_EQ("/tmp", GetTempDir());
+
+   setenv("TMPDIR", "/var/tmp", 1);
+   EXPECT_EQ("/var/tmp", GetTempDir());
 
    unsetenv("TMPDIR");
    if (old_tmpdir.empty() == false)