bootmisc: clean_run safety improvements.

If /tmp or / are read-only, the clean_run function can fail in some very
bad ways.

1. dir=$(mktemp -d) returns an EMPTY string on error.
2. "mount -o bind / $dir", and don't check the result of that,
3. "rm -rf $dir/run/*", which removes the REAL /run contents
4. box gets very weird from this point forward

Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org>
Signed-Off-By: Chip Parker <infowolfe@gmail.com>
Reported-by: Chip Parker <infowolfe@gmail.com>
Tested-by: Chip Parker <infowolfe@gmail.com>
This commit is contained in:
Robin H. Johnson 2015-02-26 17:58:22 -08:00 committed by William Hubbs
parent a0378f3871
commit 7bbb73574b

View File

@ -119,11 +119,32 @@ clean_run()
{
[ "$RC_SYS" = VSERVER -o "$RC_SYS" = LXC ] && return 0
local dir
# If / is still read-only due to a problem, this will fail!
if ! checkpath -W /; then
eerror "/ is not writable; unable to clean up underlying /run"
return 1
fi
if ! checkpath -W /tmp; then
eerror "/tmp is not writable; unable to clean up underlying /run"
return 1
fi
# Now we know that we can modify /tmp and /
# if mktemp -d fails, it returns an EMPTY string
# STDERR: mktemp: failed to create directory via template /tmp/tmp.XXXXXXXXXX: Read-only file system
# STDOUT: ''
rc=0
dir=$(mktemp -d)
mount --bind / $dir
rm -rf $dir/run/*
umount $dir
rm -rf $dir
if [ -n "$dir" -a -d $dir -a -w $dir ]; then
mount --bind / $dir && rm -rf $dir/run/* || rc=1
umount $dir
rm -rf $dir
else
rc=1
fi
if [ $rc -ne 0 ]; then
eerror "Could not clean up underlying /run on /"
return 1
fi
}
start()