| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Git-Dch: Ignore
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
partial files are chowned by the Item baseclass to let the methods work
with them. Now, this baseclass is also responsible for chowning the
files back to root instead of having various deeper levels do this.
The consequence is that all overloaded Failed() methods now call the
Item::Failed base as their first step. The same is done for Done().
The effect is that even in partial files usually don't belong to
_apt anymore, helping sneakernets and reducing possibilities of a bad
method modifying files not belonging to them.
The change is supported by the framework not only supporting being run
as root, but with proper permission management, too, so that privilege
dropping can be tested with them.
|
| |
|
|
| |
Git-Dch: Ignore
|
| |
|
|
|
| |
Ensure in SetupAPTPartialDirectory() that the /etc/apt/auth.conf file
can be read by the priv sep apt methods.
|
| |
|
|
|
| |
If the methods drop privileges we need to ensure that
/etc/apt/apt.conf is still readable by the _apt user.
|
| |
|
|
|
|
|
|
|
|
| |
Private temporary directories as created by e.g. libpam-tmpdir are nice,
but they are also very effective in preventing our priviledge dropping
to work as TMPDIR will be set to a directory only root has access to, so
working with it as _apt will fail. We circumvent this by extending our
check for a usable TMPDIR setting by checking access rights.
Closes: 765951
|
| |
|
|
|
|
|
|
|
|
| |
Adds a new testwarning which tests for zero exit and the presents of a
warning in the output, failing if either is not the case or if an error
is found, too. This allows us to change testsuccess to accept only
totally successful executions (= without warnings) which should help
finding regressions.
Git-Dch: Ignore
|
| |
|
|
|
|
|
|
| |
These functions check the exit code of the command, but for apt commands
we can go further and require an error message for non-zero exits and
none for zero exits.
Git-Dch: Ignore
|
| |
|
|
| |
Git-Dch: Ignore
|
| |
|
|
| |
Git-Dch: Ignore
|
| |
|
|
|
|
|
|
| |
Adds some infrastructure to run tests automatically for certain
commands. The first command being 'apt-get update' (and 'apt update')
which check for correct permission and owner of the files in lists/.
Git-Dch: Ignore
|
| |
|
|
|
|
|
|
|
|
| |
If we get an IMS hit for an InRelease file we use the file we already
have and pass it into reverification, but this changes the permissions
and on abort of the transaction they weren't switched back.
This is now done, additionally, every file in partial which hasn't
failed gets permission and owner changed for root access as well, as it
is very well possible that the next invocation will (re)use these files.
|
| |
|
|
|
|
|
|
|
|
| |
Transactions are run and completed from multiple places, so it happens
for unsigned repos that the Release file was commited even if it was
previously aborted (due to --no-allow-insecure-repositories). The reason
is simply that the "failure" of getting an InRelease/Release.gpg is
currently ignored, so that the acquire process believes that nothing bad
happened and commits the transaction even though the same transaction
was previously aborted.
|
| |
|
|
|
|
|
| |
Refactors a bit to ensure the same message is used in all three cases as
well.
Git-Dch: Ignore
|
| |
|
|
|
|
|
|
| |
The conversion to accept only relevant options for commands has
forgotten another one, so adding it again even through the usecase might
very well be equally good served by --print-uris.
Closes: 742578
|
| | |
|
| |
|
|
|
|
| |
We do not support compressed indexes for cdrom sources as we rewrite
some of them, so supporting it correctly could be hard. What we do
instead in the meantime is probably disabling it for cdrom sources.
|
| |\
| |
| |
| |
| |
| |
| |
| | |
The acquire code changed completely, so this is more an import of the
testcase and a new fix than the merge of an existent fix.
Conflicts:
apt-pkg/acquire-item.cc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Regression from merging 801745284905e7962aa77a9f37a6b4e7fcdc19d0 and
b0f4b486e6850c5f98520ccf19da71d0ed748ae4. While fine by itself, merged
the part fixing the filename is skipped if a cdrom source is
encountered, so that our list-cleanup removes what seems to be orphaned
files.
Closes: 765458
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We are checking the space requirements for ages, but the check uses the
free blocks count, which includes the blocks reserved for usage by root.
Now that we use an unprivileged user it has no access to these blocks
anymore – and more importantly these blocks are a reserve, they
shouldn't be used by apt without special encouragement by the user as it
would be bad to have dpkg run out of diskspace and maintainerscripts
like man-db skip certain actions if not enough space is available
freely.
|
| | |
| |
| |
| |
| |
| |
| | |
Similar to 8f45798d532223adc378a4ad9ecfc64b3be26e4f, there is no harm to
set this, even if we don't drop privileges.
Git-Dch: Ignore
|
| | |
| |
| |
| |
| |
| |
| | |
Running the testcases is usually not a good idea, but it can be handy to
check if the privilege dropping works.
Git-Dch: Ignore
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Privilege dropping breaks download/source/changelog commands as they
require the _apt user to have write permissions in the current directory,
which is e.g. the case in /tmp, but not in /root, so we disable the
privilege dropping if we deal with such a directory based on idea and
code by Michael Vogt.
The alternative would be to download always to a temp directory and move
it then done, but this breaks partial file support. To resolve this, we
could move to one of our partial/ directories, but this would require a
lock which would block root from using two of these commands in
parallel. As both seems unacceptable we instead let the user choose what
to do: Either a directory is setupped for _apt, downloading as root is
accepted or – which is potentially even better – an unprivileged user is
used for the commands.
|
| | |
| |
| |
| |
| |
| |
| | |
Add a new configallowinsecurerepositories that controls the value
of Acquire::AllowInsecureRepositories for the tests. Set it to
"false" for most of the testsuite and only enable it where its
really needed. We want to switch the default for this post-jessie.
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove long obsolete (hold, hold-reinstreq, removal-failed) or just
wrong (post-inst-failed vs postinst-failed) values, that have been
autoconverted by dpkg at run-time to their new equivalents, so there
should not be any such instance in any recent system (removal-failed
since dpkg 1.1.4 in Apr 1996, hold and hold-reinstreq since dpkg
1.2.0 in May 1996). dpkg even stopped doing the mapping in 1.15.4
and 1.15.8 respectively.
At the same time sort the list in the same order as they appear in
the dpkg code.
|
| | |
| |
| |
| |
| |
| |
| | |
Instead of using strcat use a C++ std::string to avoid overflowing
this buffer. Thanks to David Garfield
Closes: #76442
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
This change is made for backward compatiblity and should be reverted
once jessie is out.
|
| | |
| |
| |
| | |
Git-Dch: Ignore
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The constructor is calling the baseclass pkgAcqIndex which does this
already – and also does it correctly for compressed files which would
overwise lead to the size of uncompressed files to be expected.
Git-Dch: Ignore
|
| | |
| |
| |
| |
| |
| | |
I am pretty sure I did that before committing broken stuff…
Git-Dch: Ignore
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Do not drop privileges in the methods when using a older version of
libapt that does not support the chown magic in partial/ yet. To
do this DropPrivileges() now will ignore a empty Apt::Sandbox::User.
Cleanup all hardcoded _apt along the way.
|
| | |
| |
| |
| |
| |
| |
| | |
Acquire{MaxReleaseFileSize,AllowInsecureRepositories,AllowDowngradeToInsecureRepositories} and --no-allow-insecure-repositories
Document the new options to restrict loading unauthenticated data
into our parsers.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not require a special flag to be present to update trusted=yes
sources as this flag in the sources.list is obviously special enough.
Note that this is just disabling the error message, the user will still
be warned about all the (possible) failures the repository generated, it
is just triggering the acceptance of the warnings on a source-by-source
level.
Similarily, the trusted=no flag doesn't require the user to pass
additional flags to update, if the repository looks fine in the view of
apt it will update just fine. The unauthenticated warnings will "just" be
presented then the data is used.
In case you wonder: Both was the behavior in previous versions, too.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reimplementing an inline method is opening a can of worms we don't want
to open if we ever want to us a d-pointer in those classes, so we do the
only thing which can save us from hell: move the destructors into the cc
sources and we are good.
Technically not an ABI break as the methods inline or not do the same
(nothing), so a program compiled against the old version still works
with the new version (beside that this version is still in experimental,
so nothing really has been build against this library anyway).
Git-Dch: Ignore
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The same message is used for InRelease if fails in gpgv, but the
Release/Release.gpg duo needs to handle the failing download case as
well (InRelease just defers to the duo if download fails) and print a
message accompaning the insecure error to provide a hint on what is
going on.
|
| | |
| |
| |
| |
| |
| |
| | |
Not using this option, but using unsigned (and co) repositories will
cause these repositories to be ignored and data acquiring from them
fails, so this is very well in the realms of an error and helps in
making 'apt-get update' fail with a non-zero error code as well.
|
| | |
| |
| |
| |
| |
| |
| | |
Looks like a leftover from debugging. Absolutely no need for it and
destroys progess reporting completely.
Closes: 764737
|
| | |
| |
| |
| |
| |
| |
| | |
This fixes a race that we see in travis when two copy operations
finish at about the same time but the bad one first. This lead to
a rename of the good one and triggers a error when apt tries to
verify the good version but can no longer find it.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Git-Dch: ignore
|
| | |
| |
| |
| |
| | |
The code was using FinalFile before but we only test the existance
of DestFile so we use that instead.
|
| |\|
| |
| |
| |
| | |
Conflicts:
debian/changelog
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The code is creating a secure temporary directory, but then creates
the changelog alongside the tmpdir in the same base directory. This
defeats the secure tmpdir creation, making the filename predictable.
Inject a '/' between the tmpdir and the changelog filename.
|
