bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

alpm: Don't chroot() to "/"

Browse source 
chroot() requires CAP_SYS_CHROOT.  If the caller has put us in the
right root directory already, don't call chroot().  This allows
running pacman in a containerized environment without CAP_SYS_CHROOT.
This commit is contained in:
Jack Rosenthal 2023-09-29 15:35:52 -06:00
parent 917b67f5d1
commit e9b385a636
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/libalpm/util.c
View file

@ -655,7 +655,9 @@ int _alpm_run_chroot(alpm_handle_t *handle, const char *cmd, char *const argv[],
} }
/* use fprintf instead of _alpm_log to send output through the parent */ /* use fprintf instead of _alpm_log to send output through the parent */
if(chroot(handle->root) != 0) { /* don't chroot() to "/": this allows running with less caps when the
* caller puts us in the right root */
if(strcmp(handle->root, "/") != 0 && chroot(handle->root) != 0) {
fprintf(stderr, _("could not change the root directory (%s)\n"), strerror(errno)); fprintf(stderr, _("could not change the root directory (%s)\n"), strerror(errno));
exit(1); exit(1);
} }