diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2015-08-23 13:46:35 +0200 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2015-08-27 11:27:45 +0200 |
| commit | d12561703c7776f665b68c91bddb28dea0728894 (patch) | |
| tree | a6ce47161e8dfa2670fdbda7551e441203b51040 | |
| parent | 3a8776a37af38127fb04565959e8e0e449eb04a4 (diff) | |
use always priv-dropping for changelog download as root
First of, the temporary directory we download the changelog to needs to
be owned by _apt, but that also means that we don't need to check if we
could/should drop privs as the download happens to a dedicated tempdir
and only after that it is moved to its final location by a privileged user.
| -rw-r--r-- | apt-pkg/acquire-item.cc | 4 | ||||
| -rw-r--r-- | cmdline/apt-get.cc | 5 | ||||
| -rwxr-xr-x | test/integration/test-apt-get-changelog | 9 |
3 files changed, 10 insertions, 8 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 26c835444..7dcaa25a4 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -2935,6 +2935,10 @@ void pkgAcqChangelog::Init(std::string const &DestDir, std::string const &DestFi return; } DestFile = TemporaryDirectory = tmpname; + + std::string SandboxUser = _config->Find("APT::Sandbox::User"); + ChangeOwnerAndPermissionOfFile("Item::QueueURI", DestFile.c_str(), + SandboxUser.c_str(), "root", 0700); } else DestFile = DestDir; diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index b1260f06a..b6150a423 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -1403,10 +1403,7 @@ static bool DoChangelog(CommandLine &CmdL) if (printOnly == false) { - // Disable drop-privs if "_apt" can not write to the target dir - CheckDropPrivsMustBeDisabled(Fetcher); - if (_error->PendingError() == true) - return false; + // Note: CheckDropPrivsMustBeDisabled isn't needed here as the download happens in a dedicated tempdir bool Failed = false; if (AcquireRun(Fetcher, 0, &Failed, NULL) == false || Failed == true) diff --git a/test/integration/test-apt-get-changelog b/test/integration/test-apt-get-changelog index 5fa8543b9..6ca05d0fa 100755 --- a/test/integration/test-apt-get-changelog +++ b/test/integration/test-apt-get-changelog @@ -60,14 +60,15 @@ testsuccessequal "'http://localhost:8080/main/f/foo/foo_1.0/change.txt' foo.chan echo 'Acquire::Changelogs::URI::Label::Testcases "http://localhost:8080/pool/CHANGEPATH/changelog";' > rootdir/etc/apt/apt.conf.d/changelog.conf testsuccessequal "'http://localhost:8080/pool/main/f/foo/foo_1.0/changelog' foo.changelog" aptget changelog foo --print-uris -cd downloaded testsuccess aptget changelog foo -qq -testfileequal '../rootdir/tmp/testsuccess.output' "$(cat ../aptarchive/pool/main/f/foo/foo_1.0/changelog)" +testfileequal 'rootdir/tmp/testsuccess.output' "$(cat aptarchive/pool/main/f/foo/foo_1.0/changelog)" testsuccess aptget changelog foo libbar -qq -testfileequal '../rootdir/tmp/testsuccess.output' "$(cat ../aptarchive/pool/main/f/foo/foo_1.0/changelog) -$(cat ../aptarchive/pool/main/libb/libbar/libbar_1.0/changelog)" +testfileequal 'rootdir/tmp/testsuccess.output' "$(cat aptarchive/pool/main/f/foo/foo_1.0/changelog) +$(cat aptarchive/pool/main/libb/libbar/libbar_1.0/changelog)" + +cd downloaded testsuccess aptget changelog foo -d testfilestats 'foo.changelog' '%U:%G:%a' '=' "${TEST_DEFAULT_USER}:${TEST_DEFAULT_GROUP}:644" |