summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZac Medico <zmedico@gentoo.org>2009-06-21 22:01:50 +0000
committerZac Medico <zmedico@gentoo.org>2009-06-21 22:01:50 +0000
commitcb434991ee327850cfeae8fdfb64e7aafc32ab66 (patch)
tree92a42f927f00ed4e0c37e76d9af4cd779f4d6985
parent4eb69b2545cf9f061a9d7222e4cdc7c654694e7c (diff)
downloadportage-cb434991ee327850cfeae8fdfb64e7aafc32ab66.tar.gz
portage-cb434991ee327850cfeae8fdfb64e7aafc32ab66.tar.bz2
portage-cb434991ee327850cfeae8fdfb64e7aafc32ab66.zip
Tweak depcache permission handling so egencache can be run by a user who's
not in the portage group, allowing for better privilege isolation. svn path=/main/trunk/; revision=13660
-rw-r--r--pym/portage/cache/fs_template.py23
-rw-r--r--pym/portage/cache/sqlite.py2
-rw-r--r--pym/portage/dbapi/porttree.py15
3 files changed, 30 insertions, 10 deletions
diff --git a/pym/portage/cache/fs_template.py b/pym/portage/cache/fs_template.py
index f3dc0ce44..ee8964e70 100644
--- a/pym/portage/cache/fs_template.py
+++ b/pym/portage/cache/fs_template.py
@@ -17,7 +17,7 @@ class FsBased(template.database):
gid=portage_gid
perms=0665"""
- for x,y in (("gid",portage_gid),("perms",0664)):
+ for x, y in (("gid", -1), ("perms", -1)):
if x in config:
setattr(self, "_"+x, config[x])
del config[x]
@@ -34,8 +34,10 @@ class FsBased(template.database):
"""returns true or false if it's able to ensure that path is properly chmod'd and chowned.
if mtime is specified, attempts to ensure that's correct also"""
try:
- os.chown(path, -1, self._gid)
- os.chmod(path, self._perms)
+ if self._gid != -1:
+ os.chown(path, -1, self._gid)
+ if self._perms != -1:
+ os.chmod(path, self._perms)
if mtime != -1:
mtime=long(mtime)
os.utime(path, (mtime, mtime))
@@ -55,12 +57,19 @@ class FsBased(template.database):
for dir in path.lstrip(os.path.sep).rstrip(os.path.sep).split(os.path.sep):
base = os.path.join(base,dir)
if not os.path.exists(base):
- um=os.umask(0)
+ if self._perms != -1:
+ um = os.umask(0)
try:
- os.mkdir(base, self._perms | 0111)
- os.chown(base, -1, self._gid)
+ perms = self._perms
+ if perms == -1:
+ perms = 0
+ perms |= 0755
+ os.mkdir(base, perms)
+ if self._gid != -1:
+ os.chown(base, -1, self._gid)
finally:
- os.umask(um)
+ if self._perms != -1:
+ os.umask(um)
def gen_label(base, label):
diff --git a/pym/portage/cache/sqlite.py b/pym/portage/cache/sqlite.py
index ea77391c7..5657617b3 100644
--- a/pym/portage/cache/sqlite.py
+++ b/pym/portage/cache/sqlite.py
@@ -62,7 +62,7 @@ class database(fs_template.FsBased):
database=self._dbpath, **connection_kwargs)
self._db_cursor = self._db_connection.cursor()
self._db_cursor.execute("PRAGMA encoding = %s" % self._db_escape_string("UTF-8"))
- if not apply_secpass_permissions(self._dbpath, gid=portage_gid, mode=070, mask=02):
+ if not self._ensure_access(self._dbpath):
raise cache_errors.InitializationError(self.__class__, "can't ensure perms on %s" % self._dbpath)
self._db_init_cache_size(config["cache_bytes"])
self._db_init_synchronous(config["synchronous"])
diff --git a/pym/portage/dbapi/porttree.py b/pym/portage/dbapi/porttree.py
index 0cdb36591..ff16a9441 100644
--- a/pym/portage/dbapi/porttree.py
+++ b/pym/portage/dbapi/porttree.py
@@ -295,12 +295,23 @@ class portdbapi(dbapi):
self.auxdb = {}
self._pregen_auxdb = {}
self._init_cache_dirs()
+ depcachedir_w_ok = os.access(self.depcachedir, os.W_OK)
+ cache_kwargs = {
+ 'gid' : portage_gid,
+ 'perms' : 0664
+ }
+
+ if secpass < 1:
+ # portage_gid is irrelevant, so just obey umask
+ cache_kwargs['gid'] = -1
+ cache_kwargs['perms'] = -1
+
# XXX: REMOVE THIS ONCE UNUSED_0 IS YANKED FROM auxdbkeys
# ~harring
filtered_auxdbkeys = filter(lambda x: not x.startswith("UNUSED_0"), auxdbkeys)
filtered_auxdbkeys.sort()
from portage.cache import metadata_overlay, volatile
- if secpass < 1:
+ if not depcachedir_w_ok:
for x in self.porttrees:
db_ro = self.auxdbmodule(self.depcachedir, x,
filtered_auxdbkeys, gid=portage_gid, readonly=True)
@@ -314,7 +325,7 @@ class portdbapi(dbapi):
continue
# location, label, auxdbkeys
self.auxdb[x] = self.auxdbmodule(
- self.depcachedir, x, filtered_auxdbkeys, gid=portage_gid)
+ self.depcachedir, x, filtered_auxdbkeys, **cache_kwargs)
if self.auxdbmodule is metadata_overlay.database:
self.auxdb[x].db_ro.ec = self._repo_info[x].eclass_db
if "metadata-transfer" not in self.mysettings.features: