bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add DownloadUser configuration option

Browse source 
The DownloadUser option will be used to drop privledges to the
specified user when downloading files.

The intention is for this to be extended in the future  to a more
general sandbox configuration to cover operating on package and
database files prior to verification.

Add this option to pacman configuration and the various accessors into
the libalpm backend.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Remi Gacogne 2022-11-08 11:22:45 +10:00 committed by Allan McRae
parent 01e64e8b6a
commit 56eb87287e
6 changed files with 54 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
lib/libalpm/alpm.h
View file

@ -1870,6 +1870,28 @@ int alpm_option_set_gpgdir(alpm_handle_t *handle, const char *gpgdir);
/** @} */ /** @} */
/** @name Accessors for use sandboxuser
*
* This controls the user that libalpm will use for sensitive operations like
* downloading files.
* @{
*/
/** Returns the user to switch to for sensitive operations.
* @return the user name
*/
const char *alpm_option_get_sandboxuser(alpm_handle_t *handle);
/** Sets the user to switch to for sensitive operations.
* @param handle the context handle
* @param sandboxuser the user to set
*/
int alpm_option_set_sandboxuser(alpm_handle_t *handle, const char *sandboxuser);
/* End of sandboxuser accessors */
/** @} */
/** @name Accessors for use syslog /** @name Accessors for use syslog
* *
* This controls whether libalpm will also use the syslog. Even if this option * This controls whether libalpm will also use the syslog. Even if this option

20
lib/libalpm/handle.c
View file

@ -101,6 +101,7 @@ void _alpm_handle_free(alpm_handle_t *handle)
FREE(handle->lockfile); FREE(handle->lockfile);
FREELIST(handle->architectures); FREELIST(handle->architectures);
FREE(handle->gpgdir); FREE(handle->gpgdir);
FREE(handle->sandboxuser);
FREELIST(handle->noupgrade); FREELIST(handle->noupgrade);
FREELIST(handle->noextract); FREELIST(handle->noextract);
FREELIST(handle->ignorepkg); FREELIST(handle->ignorepkg);
@ -292,6 +293,12 @@ const char SYMEXPORT *alpm_option_get_gpgdir(alpm_handle_t *handle)
return handle->gpgdir; return handle->gpgdir;
} }
const char SYMEXPORT *alpm_option_get_sandboxuser(alpm_handle_t *handle)
{
CHECK_HANDLE(handle, return NULL);
return handle->sandboxuser;
}
int SYMEXPORT alpm_option_get_usesyslog(alpm_handle_t *handle) int SYMEXPORT alpm_option_get_usesyslog(alpm_handle_t *handle)
{ {
CHECK_HANDLE(handle, return -1); CHECK_HANDLE(handle, return -1);
@ -595,6 +602,19 @@ int SYMEXPORT alpm_option_set_gpgdir(alpm_handle_t *handle, const char *gpgdir)
return 0; return 0;
} }
int SYMEXPORT alpm_option_set_sandboxuser(alpm_handle_t *handle, const char *sandboxuser)
{
CHECK_HANDLE(handle, return -1);
if(handle->sandboxuser) {
FREE(handle->sandboxuser);
}
STRDUP(handle->sandboxuser, sandboxuser, RET_ERR(handle, ALPM_ERR_MEMORY, -1));
_alpm_log(handle, ALPM_LOG_DEBUG, "option 'sandboxuser' = %s\n", handle->sandboxuser);
return 0;
}
int SYMEXPORT alpm_option_set_usesyslog(alpm_handle_t *handle, int usesyslog) int SYMEXPORT alpm_option_set_usesyslog(alpm_handle_t *handle, int usesyslog)
{ {
CHECK_HANDLE(handle, return -1); CHECK_HANDLE(handle, return -1);

1
lib/libalpm/handle.h
View file

@ -91,6 +91,7 @@ struct _alpm_handle_t {
char *logfile; /* Name of the log file */ char *logfile; /* Name of the log file */
char *lockfile; /* Name of the lock file */ char *lockfile; /* Name of the lock file */
char *gpgdir; /* Directory where GnuPG files are stored */ char *gpgdir; /* Directory where GnuPG files are stored */
char *sandboxuser; /* User to switch to for sensitive operations */
alpm_list_t *cachedirs; /* Paths to pacman cache directories */ alpm_list_t *cachedirs; /* Paths to pacman cache directories */
alpm_list_t *hookdirs; /* Paths to hook directories */ alpm_list_t *hookdirs; /* Paths to hook directories */
alpm_list_t *overwrite_files; /* Paths that may be overwritten */ alpm_list_t *overwrite_files; /* Paths that may be overwritten */

7
src/pacman/conf.c
View file

@ -156,6 +156,7 @@ int config_free(config_t *oldconfig)
free(oldconfig->dbpath); free(oldconfig->dbpath);
free(oldconfig->logfile); free(oldconfig->logfile);
free(oldconfig->gpgdir); free(oldconfig->gpgdir);
free(oldconfig->sandboxuser);
FREELIST(oldconfig->hookdirs); FREELIST(oldconfig->hookdirs);
FREELIST(oldconfig->cachedirs); FREELIST(oldconfig->cachedirs);
free(oldconfig->xfercommand); free(oldconfig->xfercommand);
@ -670,6 +671,11 @@ static int _parse_options(const char *key, char *value,
config->logfile = strdup(value); config->logfile = strdup(value);
pm_printf(ALPM_LOG_DEBUG, "config: logfile: %s\n", value); pm_printf(ALPM_LOG_DEBUG, "config: logfile: %s\n", value);
} }
} else if(strcmp(key, "DownloadUser") == 0) {
if(!config->sandboxuser) {
config->sandboxuser = strdup(value);
pm_printf(ALPM_LOG_DEBUG, "config: sandboxuser: %s\n", value);
}
} else if(strcmp(key, "XferCommand") == 0) { } else if(strcmp(key, "XferCommand") == 0) {
char **c; char **c;
if((config->xfercommand_argv = wordsplit(value)) == NULL) { if((config->xfercommand_argv = wordsplit(value)) == NULL) {
@ -922,6 +928,7 @@ static int setup_libalpm(void)
alpm_option_set_architectures(handle, config->architectures); alpm_option_set_architectures(handle, config->architectures);
alpm_option_set_checkspace(handle, config->checkspace); alpm_option_set_checkspace(handle, config->checkspace);
alpm_option_set_usesyslog(handle, config->usesyslog); alpm_option_set_usesyslog(handle, config->usesyslog);
alpm_option_set_sandboxuser(handle, config->sandboxuser);
alpm_option_set_ignorepkgs(handle, config->ignorepkg); alpm_option_set_ignorepkgs(handle, config->ignorepkg);
alpm_option_set_ignoregroups(handle, config->ignoregrp); alpm_option_set_ignoregroups(handle, config->ignoregrp);

1
src/pacman/conf.h
View file

@ -68,6 +68,7 @@ typedef struct __config_t {
char *logfile; char *logfile;
char *gpgdir; char *gpgdir;
char *sysroot; char *sysroot;
char *sandboxuser;
alpm_list_t *hookdirs; alpm_list_t *hookdirs;
alpm_list_t *cachedirs; alpm_list_t *cachedirs;
alpm_list_t *architectures; alpm_list_t *architectures;

3
src/pacman/pacman-conf.c
View file

@ -262,6 +262,7 @@ static void dump_config(void)
show_list_str("HookDir", config->hookdirs); show_list_str("HookDir", config->hookdirs);
show_str("GPGDir", config->gpgdir); show_str("GPGDir", config->gpgdir);
show_str("LogFile", config->logfile); show_str("LogFile", config->logfile);
show_str("DownloadUser", config->sandboxuser);
show_list_str("HoldPkg", config->holdpkg); show_list_str("HoldPkg", config->holdpkg);
show_list_str("IgnorePkg", config->ignorepkg); show_list_str("IgnorePkg", config->ignorepkg);
@ -362,6 +363,8 @@ static int list_directives(void)
show_str("GPGDir", config->gpgdir); show_str("GPGDir", config->gpgdir);
} else if(strcasecmp(i->data, "LogFile") == 0) { } else if(strcasecmp(i->data, "LogFile") == 0) {
show_str("LogFile", config->logfile); show_str("LogFile", config->logfile);
} else if(strcasecmp(i->data, "DownloadUser") == 0) {
show_str("DownloadUser", config->sandboxuser);
} else if(strcasecmp(i->data, "HoldPkg") == 0) { } else if(strcasecmp(i->data, "HoldPkg") == 0) {
show_list_str("HoldPkg", config->holdpkg); show_list_str("HoldPkg", config->holdpkg);