diff options
author | Zac Medico <zmedico@gentoo.org> | 2007-07-23 18:09:59 +0000 |
---|---|---|
committer | Zac Medico <zmedico@gentoo.org> | 2007-07-23 18:09:59 +0000 |
commit | 495022aa5b3d155bd0d7ed3876c4630ef06bd4b6 (patch) | |
tree | 617be9b020452c48637cb0fbf69a8b9383a9fa48 | |
parent | 3479685e9960f23c2c1571da9501cd5625ea4907 (diff) | |
download | portage-495022aa5b3d155bd0d7ed3876c4630ef06bd4b6.tar.gz portage-495022aa5b3d155bd0d7ed3876c4630ef06bd4b6.tar.bz2 portage-495022aa5b3d155bd0d7ed3876c4630ef06bd4b6.zip |
Drop privileges in the "depend" phase regardless of FEATURES and RESTRICT since that phase should never need special privileges. Thanks to swegener for the initial patch. (trunk r7373)
svn path=/main/branches/2.1.2/; revision=7374
-rw-r--r-- | pym/portage.py | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/pym/portage.py b/pym/portage.py index 3de399cf4..a4097f551 100644 --- a/pym/portage.py +++ b/pym/portage.py @@ -2345,8 +2345,6 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, **keyw features = mysettings.features restrict = mysettings.get("PORTAGE_RESTRICT","").split() - droppriv=(droppriv and "userpriv" in features and not \ - ("nouserpriv" in restrict or "userpriv" in restrict)) if droppriv and not uid and portage_gid and portage_uid: keywords.update({"uid":portage_uid,"gid":portage_gid,"groups":userpriv_groups,"umask":002}) @@ -3909,19 +3907,23 @@ def doebuild(myebuild, mydo, myroot, mysettings, debug=0, listonly=0, sesandbox = mysettings.selinux_enabled() and \ "sesandbox" in mysettings.features + + droppriv = "userpriv" in mysettings.features and \ + "userpriv" not in restrict + ebuild_sh = EBUILD_SH_BINARY + " %s" misc_sh = MISC_SH_BINARY + " dyn_%s" # args are for the to spawn function actionmap = { -"depend": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0, "sesandbox":0}}, -"setup": {"cmd":ebuild_sh, "args":{"droppriv":0, "free":1, "sesandbox":0}}, -"unpack": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0, "sesandbox":sesandbox}}, -"compile":{"cmd":ebuild_sh, "args":{"droppriv":1, "free":nosandbox, "sesandbox":sesandbox}}, -"test": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":nosandbox, "sesandbox":sesandbox}}, -"install":{"cmd":ebuild_sh, "args":{"droppriv":0, "free":0, "sesandbox":sesandbox}}, -"rpm": {"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, -"package":{"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, +"depend": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0, "sesandbox":0}}, +"setup": {"cmd":ebuild_sh, "args":{"droppriv":0, "free":1, "sesandbox":0}}, +"unpack": {"cmd":ebuild_sh, "args":{"droppriv":droppriv, "free":0, "sesandbox":sesandbox}}, +"compile":{"cmd":ebuild_sh, "args":{"droppriv":droppriv, "free":nosandbox, "sesandbox":sesandbox}}, +"test": {"cmd":ebuild_sh, "args":{"droppriv":droppriv, "free":nosandbox, "sesandbox":sesandbox}}, +"install":{"cmd":ebuild_sh, "args":{"droppriv":0, "free":0, "sesandbox":sesandbox}}, +"rpm": {"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, +"package":{"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, } # merge the deps in so we have again a 'full' actionmap |