| Summary: | disallow access to $S/$FILESDIR in pkg_* functions | ||
|---|---|---|---|
| Product: | Portage Development | Reporter: | SpanKY <vapier> |
| Component: | Core - Ebuild Support | Assignee: | Portage team <dev-portage> |
| Status: | CONFIRMED --- | ||
| Severity: | enhancement | CC: | ansla80, basic, ciaran.mccreesh, dschridde+gentoobugs, jakub, sam |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=586416 https://bugs.gentoo.org/show_bug.cgi?id=775191 https://bugs.gentoo.org/show_bug.cgi?id=138388 https://bugs.gentoo.org/show_bug.cgi?id=197942 |
||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Nice idea. I would suggest doing the same for FILESDIR. Sounds good. conversely, if we set ROOT to like /var/tmp/portage/eat/my/balls in all src_* functions and add that path to the sandbox deny path ... Kinda relevant to this:
16:51 < ciaranm> incidentally... what i really want is a SANDBOX_WARN_READ etc
16:51 < ciaranm> so we can catch naughty ebuilds by doing SANDBOX_WARN_READ="${ROOT}" and setting ROOT to /blah/BAD_BROKEN_EBUILD_NO_COOKIE which is a symlink to /
16:52 < ferringb> ciaranm: that trick shouldn't work offhand
16:52 < ciaranm> ferringb: it won't work with sandbox the way it is currently, no
16:52 < ferringb> ciaranm: sandbox abspath's most of what it deals with.
*** Bug 170567 has been marked as a duplicate of this bug. *** (In reply to SpanKY from comment #3) > conversely, if we set ROOT to like /var/tmp/portage/eat/my/balls in all > src_* functions and add that path to the sandbox deny path ... See-Also: bug #138388 |
as a nice QA measure, we should prevent access to $S in all pkg_* functions i think a combo of first adding it to the sandbox deny path and then setting it to a non-existent path should do the trick ... unsetting it might not be so hot as something like `rm -rf "${S}"/tmp` or `rm -rf "${S}"/usr` which previously would have been ok may now have disastrous consequences ...