From 3b08c21101b0801d7c5d6c145a27bef5cd42078c Mon Sep 17 00:00:00 2001 From: Marius Mauch Date: Thu, 25 Jan 2007 15:49:26 +0000 Subject: Namespace sanitizing, step 1 svn path=/main/trunk/; revision=5778 --- pym/portage/data.py | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 pym/portage/data.py (limited to 'pym/portage/data.py') diff --git a/pym/portage/data.py b/pym/portage/data.py new file mode 100644 index 000000000..707c76b2d --- /dev/null +++ b/pym/portage/data.py @@ -0,0 +1,126 @@ +# portage_data.py -- Calculated/Discovered Data Values +# Copyright 1998-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +if not hasattr(__builtins__, "set"): + from sets import Set as set + +import os,pwd,grp +from portage_util import writemsg +from output import green,red +from output import create_color_func +bad = create_color_func("BAD") + +ostype=os.uname()[0] + +lchown = None +if ostype=="Linux" or ostype.lower().endswith("gnu"): + userland="GNU" + os.environ["XARGS"]="xargs -r" +elif ostype == "Darwin": + userland="Darwin" + os.environ["XARGS"]="xargs" + def lchown(*pos_args, **key_args): + pass +elif ostype.endswith("BSD") or ostype =="DragonFly": + userland="BSD" + os.environ["XARGS"]="xargs" +else: + writemsg(red("Operating system")+" \""+ostype+"\" "+red("currently unsupported. Exiting.")+"\n") + sys.exit(1) + +if not lchown: + if "lchown" in dir(os): + # Included in python-2.3 + lchown = os.lchown + else: + try: + import missingos + lchown = missingos.lchown + except ImportError: + def lchown(*pos_args, **key_args): + writemsg(red("!!!") + " It seems that os.lchown does not" + \ + " exist. Please rebuild python.\n", noiselevel=-1) + lchown() + +os.environ["USERLAND"]=userland + +def portage_group_warning(): + warn_prefix = bad("*** WARNING *** ") + mylines = [ + "For security reasons, only system administrators should be", + "allowed in the portage group. Untrusted users or processes", + "can potentially exploit the portage group for attacks such as", + "local privilege escalation." + ] + for x in mylines: + writemsg(warn_prefix, noiselevel=-1) + writemsg(x, noiselevel=-1) + writemsg("\n", noiselevel=-1) + writemsg("\n", noiselevel=-1) + +# Portage has 3 security levels that depend on the uid and gid of the main +# process and are assigned according to the following table: +# +# Privileges secpass uid gid +# normal 0 any any +# group 1 any portage_gid +# super 2 0 any +# +# If the "wheel" group does not exist then wheelgid falls back to 0. +# If the "portage" group does not exist then portage_uid falls back to wheelgid. + +secpass=0 + +uid=os.getuid() +wheelgid=0 + +if uid==0: + secpass=2 +try: + wheelgid=grp.getgrnam("wheel")[2] +except KeyError: + writemsg("portage initialization: your system doesn't have a 'wheel' group.\n") + writemsg("Please fix this as it is a normal system requirement. 'wheel' is GID 10\n") + writemsg("`emerge baselayout` and a config update with dispatch-conf, etc-update\n") + writemsg("or cfg-update should remedy this problem.\n") + pass + +#Discover the uid and gid of the portage user/group +try: + portage_uid=pwd.getpwnam("portage")[2] + portage_gid=grp.getgrnam("portage")[2] + if secpass < 1 and portage_gid in os.getgroups(): + secpass=1 +except KeyError: + portage_uid=0 + portage_gid=0 + writemsg("\n") + writemsg( red("portage: 'portage' user or group missing. Please update baselayout\n")) + writemsg( red(" and merge portage user(250) and group(250) into your passwd\n")) + writemsg( red(" and group files. Non-root compilation is disabled until then.\n")) + writemsg( " Also note that non-root/wheel users will need to be added to\n") + writemsg( " the portage group to do portage commands.\n") + writemsg("\n") + writemsg( " For the defaults, line 1 goes into passwd, and 2 into group.\n") + writemsg(green(" portage:x:250:250:portage:/var/tmp/portage:/bin/false\n")) + writemsg(green(" portage::250:portage\n")) + writemsg("\n") + portage_group_warning() + +userpriv_groups = [portage_gid] +if secpass >= 2: + # Get a list of group IDs for the portage user. Do not use grp.getgrall() + # since it is known to trigger spurious SIGPIPE problems with nss_ldap. + from commands import getstatusoutput + mystatus, myoutput = getstatusoutput("id -G portage") + if mystatus == os.EX_OK: + for x in myoutput.split(): + try: + userpriv_groups.append(int(x)) + except ValueError: + pass + del x + userpriv_groups = list(set(userpriv_groups)) + del getstatusoutput, mystatus, myoutput -- cgit v1.2.3-1-g7c22