bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

libalpm: only chown downloaded files when running as root

Browse source 
Some libaplm utilities sync databases as a non-root user for use in
actvities other than system updates.  The ability to download as a
non-root user was broken as part of the download sandboxing.

Applying a minimial fix by preventing the chown of the downloaded file
if the user is non-root.  A larger change increasing the robustness
and error checking of this path is warranted in the future.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae 2024-09-05 17:29:40 +10:00
parent 6ba5c20e76
commit 7bc5d55b56
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/libalpm/dload.c
View file

@ -76,13 +76,16 @@ static mode_t _getumask(void)
static int finalize_download_file(const char *filename) static int finalize_download_file(const char *filename)
{ {
struct stat st; struct stat st;
uid_t myuid = getuid();
ASSERT(filename != NULL, return -1); ASSERT(filename != NULL, return -1);
ASSERT(stat(filename, &st) == 0, return -1); ASSERT(stat(filename, &st) == 0, return -1);
if(st.st_size == 0) { if(st.st_size == 0) {
unlink(filename); unlink(filename);
return 1; return 1;
} }
ASSERT(chown(filename, 0, 0) != -1, return -1); if(myuid == 0) {
ASSERT(chown(filename, 0, 0) != -1, return -1);
}
ASSERT(chmod(filename, ~(_getumask()) & 0666) != -1, return -1); ASSERT(chmod(filename, ~(_getumask()) & 0666) != -1, return -1);
return 0; return 0;
} }