Filling in more of the payload fields before passing to the downloader ensures
that the these fields do not get lost during sandboxed operations.
It also fixes the use of -U with XferCommand, but testsuite still fails due to
"404" page being downloaded for the signature. Given we can not identify this
as being a non-signature download with the XferCommand, we can just turn off
signature checking in this test.
Signed-off-by: Allan McRae <allan@archlinux.org>
If the SandboxUser configure option is set, the internal downloader
will fork of a child process and drop to the specified user to download
the files.
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Add log and download callbacks to use within a sandbox. These are
designed to be passed from the sandbox to the parent through a file
descriptor and then processed into alpm callbacks to be passed to the
frontend.
Note, only callbacks used in libalpm are added. Other callbacks should
be set to NULL in the child process.
Add alpm_sandbox_child() function that will be used for switching to a
less priviledged user to run child processes.
Signed-off-by: Allan McRae <allan@archlinux.org>
The DownloadUser option will be used to drop privledges to the
specified user when downloading files.
The intention is for this to be extended in the future to a more
general sandbox configuration to cover operating on package and
database files prior to verification.
Add this option to pacman configuration and the various accessors into
the libalpm backend.
Signed-off-by: Allan McRae <allan@archlinux.org>
Previously, the for loops on lines 1035 and 1037 would advance to the
next element in the server list, even if downloading the URL succeeded.
If there are no more servers in the list, `s` would be NULL, causing
a NULL pointer dereference on line 1046. If there were servers left
in the list, the signature would be downloaded from a wrong URL.
1. Fetching of database signatures is enabled.
2. There is only one enabled remote repository URL, or fetching from
all but the last one fails and fetching from the last one succeeds.
3. An XferCommand is used.
Qubes OS Arch templates satisfy all of these conditions and trigger the bug.
atio's behaviour is undefined if the input is not valid. Also it does
all sorts of whitespace and prefix handling which we don't need for
pkgreason.
Instead of going into UB on invalid input we now return EXPLICIT as the
fallback and print an error. However we don't actually error out as the
DB parsing tries to be error tolerant.
Signed-off-by: Allan McRae <allan@archlinux.org>
alpm has certain requirements for package metadata necessary for proper
functioning, name and version in particular. These requirements are
already enforced in makepkg, but nowhere in alpm.
Exceptions are treated as errors for non-local packages because they
cannot be installed without potentially resulting in undefined behavior.
Exceptions for local packages are treated as warnings because they are
already installed, so any damage has already been done, and the user
would otherwise have no way to uninstall them.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The error path uconditinally tries to free the archive, leading to a
double-free segmentation fault if the error path is triggered after
already freeing it.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
The free function was checking DB_STATUS_PKGCACHE, which is only set
once the package cache has been fully built.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
In the very unlikely situtation where getmntent() and friends return
non-null, but the mount directory is NULL, a null dereference could
occur. It is unclear what the best course of action is in this case,
so just move on to the next mount point.
Signed-off-by: Allan McRae <allan@archlinux.org>
The length_check function could underflow if the provided buffer index
is greater than the signature buffer length, leading to an out of
bounds read.
Signed-off-by: Allan McRae <allan@archlinux.org>
These are the only log messages produced by pacman that include an
embedded newline, and it looks very incongruous in a typical pacman.log.
Signed-off-by: Allan McRae <allan@archlinux.org>
The primary purpose of this is to allow cleanup of file descriptors
allocated by curl that were left open in the child. I am not aware of
any issues caused by the open file descriptors, but think it better to
not leave random open fd's lying around.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Freeing handle resources was previously split awkwardly between
_alpm_handle_free and alpm_release. This consolidates the freeing of
all in-memory resources to _alpm_handle_free, leaving alpm_release as a
thin wrapper that provides safety checks and frees any external
resources, e.g. removing lock files.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Cache servers differ from regular servers in that they do not produce
warnings and are not removed from the server pool for "soft errors"
(i.e. the server was reachable, but the download failed) and they are
not used for databases. If a host is used for both a cache server and a
regular server, it may still be removed from the server pool for soft
errors that occur when used as cache server and removal from the server
pool for soft errors will not affect future attempted use as a cache
server.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
chroot() requires CAP_SYS_CHROOT. If the caller has put us in the
right root directory already, don't call chroot(). This allows
running pacman in a containerized environment without CAP_SYS_CHROOT.
Some user had erros while updating their system.
:: Proceed with installation? [Y/n]
:: Retrieving packages...
checking keyring...
checking package integrity...
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
The issue was filecache_find returning null and alpm passing that null
path to check validity. How this happened I have no idea. It may be
something to do with the user's cachedir being a network drive.
Also warn when the file exists but it is not a regular file or can not
be opened.
When ever pacman prints a conflict, it now prints pkgname-version,
instead of just pkgname.
alpm_conflict_t now carries *alpm_pkg_ts instead of just the
names of each package.
Fixes FS#12536 (point 2)
We have not set handle in the function at this stage, so we can not
assign an error to it. Pass the handle to the function to avoid
waiting until the payload is retrieved.
Signed-off-by: Allan McRae <allan@archlinux.org>
