diff options
| author | Zac Medico <zmedico@gentoo.org> | 2007-07-23 18:07:40 +0000 |
|---|---|---|
| committer | Zac Medico <zmedico@gentoo.org> | 2007-07-23 18:07:40 +0000 |
| commit | b039403c553aa2ae7ea3861c4a80fcbe89f90aa2 (patch) | |
| tree | eae42a09ad2560b9fff84c3c4c55cada036e169c | |
| parent | e940a98117979ab6d9c4ed367b01ff0598740a3e (diff) | |
| download | portage-b039403c553aa2ae7ea3861c4a80fcbe89f90aa2.tar.gz portage-b039403c553aa2ae7ea3861c4a80fcbe89f90aa2.tar.bz2 portage-b039403c553aa2ae7ea3861c4a80fcbe89f90aa2.zip | |
Drop privileges in the "depend" phase regardless of FEATURES and RESTRICT since that phase should never need special privileges. Thanks to swegener for the initial patch.
svn path=/main/trunk/; revision=7373
| -rw-r--r-- | pym/portage/__init__.py | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/pym/portage/__init__.py b/pym/portage/__init__.py index 8f0b2205f..a151ad064 100644 --- a/pym/portage/__init__.py +++ b/pym/portage/__init__.py @@ -2444,8 +2444,6 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, **keyw features = mysettings.features restrict = mysettings.get("PORTAGE_RESTRICT","").split() - droppriv=(droppriv and "userpriv" in features and not \ - ("nouserpriv" in restrict or "userpriv" in restrict)) if droppriv and not uid and portage_gid and portage_uid: keywords.update({"uid":portage_uid,"gid":portage_gid, "groups":userpriv_groups,"umask":002}) @@ -4020,19 +4018,23 @@ def doebuild(myebuild, mydo, myroot, mysettings, debug=0, listonly=0, sesandbox = mysettings.selinux_enabled() and \ "sesandbox" in mysettings.features + + droppriv = "userpriv" in mysettings.features and \ + "userpriv" not in restrict + ebuild_sh = EBUILD_SH_BINARY + " %s" misc_sh = MISC_SH_BINARY + " dyn_%s" # args are for the to spawn function actionmap = { -"depend": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0, "sesandbox":0}}, -"setup": {"cmd":ebuild_sh, "args":{"droppriv":0, "free":1, "sesandbox":0}}, -"unpack": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0, "sesandbox":sesandbox}}, -"compile":{"cmd":ebuild_sh, "args":{"droppriv":1, "free":nosandbox, "sesandbox":sesandbox}}, -"test": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":nosandbox, "sesandbox":sesandbox}}, -"install":{"cmd":ebuild_sh, "args":{"droppriv":0, "free":0, "sesandbox":sesandbox}}, -"rpm": {"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, -"package":{"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, +"depend": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0, "sesandbox":0}}, +"setup": {"cmd":ebuild_sh, "args":{"droppriv":0, "free":1, "sesandbox":0}}, +"unpack": {"cmd":ebuild_sh, "args":{"droppriv":droppriv, "free":0, "sesandbox":sesandbox}}, +"compile":{"cmd":ebuild_sh, "args":{"droppriv":droppriv, "free":nosandbox, "sesandbox":sesandbox}}, +"test": {"cmd":ebuild_sh, "args":{"droppriv":droppriv, "free":nosandbox, "sesandbox":sesandbox}}, +"install":{"cmd":ebuild_sh, "args":{"droppriv":0, "free":0, "sesandbox":sesandbox}}, +"rpm": {"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, +"package":{"cmd":misc_sh, "args":{"droppriv":0, "free":0, "sesandbox":0}}, } # merge the deps in so we have again a 'full' actionmap |