New version of mock working (I think)
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Thu Jun 22 09:30:57 UTC 2006
williams at redhat.com (Clark Williams) writes:
> if os.path.exists(self.basedir):
> cmd = '%s -rf %s' % (self.config['rm'], self.basedir)
wouldn't it be better to do such things with native syscalls instead of
invoking a command? You will never get this implemented race-free with
shell commands.
>
> def pack(self):
> self.state('create cache')
> self._ensure_dir(os.path.join(self.config['basedir'], self.config['cache_topdir']))
This seems to open an attack vector; attacker could create the
cache_topdir (basedir is writable by mock group) and create e.g. a
cache.tar -> /etc/nologin symlink.
Perhaps it suffices to remove group write-permissions from basedir. The
cleaner way would be to open the cache_file in a safe way and give only
the fd to tar. (ditto for unpack).
> self.debug("mounting proc in %s" % procdir)
> - command = '%s -t proc proc %s/proc' % (self.config['mount'],
> + command = '%s -n -t proc proc %s/proc' % (self.config['mount'],
> self.rootdir)
See below...
> track.flush()
>
> if retval != 0:
> @@ -427,9 +459,9 @@
> devptsdir = os.path.join(self.rootdir, 'dev/pts')
When you are about to increase security, you should fix such beginner
errors too. 'chroot' does not mean "prepend a path", but "change /".
> self._ensure_dir(devptsdir)
> self.debug("mounting devpts in %s" % devptsdir)
> - command = '%s -t devpts devpts %s' % (self.config['mount'], devptsdir)
> + command = '%s -n -t devpts devpts %s' % (self.config['mount'], devptsdir)
There is no reason to do this kind of mounting with the mount(8) shell
command. mount(2) is a much better (and easier) way.
> item = '%s/%s' % (self.rootdir, path)
> command = '%s %s' % (self.config['umount'], item)
There is no reason for explicit unmounting. At least MNT_DETACH should
be set at least. Your (deprecated) shell command should get a '-n' too.
> + [ -d $(DESTDIR)/$(BINDIR) ] || \
> + $(MKDIR) -p $(DESTDIR)/$(BINDIR)
> + [ -d $(DESTDIR)/$(LIBDIR) ] || \
> + $(MKDIR) -p $(DESTDIR)/$(LIBDIR)
> + $(INSTALL) -o root -g $(MOCKGROUP) -m 4750 $(EXECUTABLE) $(DESTDIR)/$(BINDIR)
~~~~~~~~~~~~~~~~~~~~~~~
please do not do such things. rpm packagers will hate you for that.
> memset(env, '\0', sizeof(char *) * (3 + ALLOWED_ENV_SIZE));
> env[0] = strdup(SAFE_PATH);
plain assignment without strdup(3) suffices here. You could write
| char const * env[ALLOWED_ENV_SIZE] = {
| [0] = SAFE_PATH,
| [1] = SAFE_HOME,
| [2] = NSFLAG
| };
here.
> // set up a new argv/argc
> // new argv[0] will be "/usr/bin/python"
> // new argv[1] will be "/usr/bin/mock.py"
> // remainder of new argv will be old argv[1:n]
> // allocate one extra for null at end
> newargc = argc + 1;
> newargvsz = sizeof(char *) * (newargc + 1);
> newargv = malloc(newargvsz);
why are you doing dynamic memory allocations here? Operating on stack is
much cheaper.
> if (newargv == NULL)
> error("malloc of argument vector (%d bytes) failed!\n", newargvsz);
> memset(newargv, '\0', newargvsz);
> newargv[0] = strdup(PYTHON_PATH);
ditto; you are missing an error check here btw... (which would not be
needed by a simple 'newargv[0] = PYTHON_PATH;').
Enrico
More information about the Fedora-buildsys-list
mailing list