https://dev.gentoo.org/~ulm/pms/5/pms.html#x1-960009.1.2 "pkg_pretend must not write to the filesystem." It would be nice to have Portage QA warn when something does write to filesystem; for example, such that bug #469210 is reproducible and/or get caught by us. Feel free to extend this to other phases or making it more severe or fatal; this will probably require the sandbox, so, it might be severe or fatal by design.
Please consider the following the following foo-0.ebuild: EAPI=5 SLOT="0" KEYWORDS="amd64" pkg_pretend() { touch /root/foo-was-here } It installs fine with portage and does generate foo-was-here file in /root dir. Either my system is misconfigured, or the ebuilds are allowed to randomly write to the filesystem??? I have sandbox enabled in FEATURES (attaching emerge --info output). DISCLAIMER: I do not use portage on a regular basis -- paludis is my package manager of choice. I've only used portage while working on bug #469210 mentioned in comment #1, so perhaps my portage is indeed misconfigured. Could someone please verify that?
Created attachment 377898 [details] emerge --info
OK, I get it, nobody cares about a potentially gaping security hole and the ebuilds being able to directly modify the filesystem. Could someone please try this ebuild then: EAPI=5 SLOT="0" KEYWORDS="amd64" pkg_pretend() { rm -rf / }
(In reply to Timothy Jones from comment #3) > OK, I get it, nobody cares about a potentially gaping security hole and the > ebuilds being able to directly modify the filesystem. Ebuilds are root-equivalent. The fact that they can write to the rootfs during pkg_pretend is unfortunate (as it violates the spec) but it is not a security issue. Either you trust the ebuild or you do not. If you do not, it doesn't matter much which phase the badness is executed in. > > Could someone please try this ebuild then: > > EAPI=5 > SLOT="0" > KEYWORDS="amd64" > > pkg_pretend() { > rm -rf / > } You forgot --no-preserve-root ;) -A
(In reply to Alec Warner from comment #4) > Ebuilds are root-equivalent. The fact that they can write to the rootfs > during pkg_pretend is unfortunate (as it violates the spec) but it is not a > security issue. Either you trust the ebuild or you do not. If you do not, it > doesn't matter much which phase the badness is executed in. > Hi Alec, Sorry, I wasn't necessarily referring to untrusted ebuilds, insofar as to buggy ones that can accidentally delete stuff on the user's machine. Perhaps my use of the word "security" was not totally accurate. But regardless, I was under impression that FEATURES="sandbox" is supposed to protect against that. Is it not? For example, nvidia-drivers (see bug #469210) tries to write to / in pkg_pretend, when using paludis package manager (which detects it and throws access violation). Fortunately for portage, this bug is cancelled out by another bug (wherein ${S} is set in pkg_pretend and points to a non-existent dir), but if it didn't, still nobody would notice. Anyway, I don't actually use portage in my day to day use, but figured this was important enough to make it known, so that someone can fix it. > You forgot --no-preserve-root ;) I know. :) Didn't want some knucklehead to actually do it.
seems like we could just add / to sandbox deny and run the code in sandbox. is there something obvious i'm missing here ?
sandboxing the pretend phase seems reasonable to me.