From 430a25f422bd3abfe9901c45ba069e633e1803a9 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Tue, 2 Feb 2016 11:28:48 +0100 Subject: [PATCH] libxbps: execute pkg scripts with /bin/sh directly. The pkg INSTALL/REMOVE scripts do not need to have the executable bit set anymore, thus /tmp can be mounted with 'noexec' from now on. GH #149 --- NEWS | 5 +++++ lib/package_script.c | 6 +----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 530e7ff1..9cf575e2 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,10 @@ xbps-0.52 (???): + * libxbps: package INSTALL/REMOVE scripts do not need to be executables + anymore because they are executed with "/bin/sh" directly. That means + "/tmp" can be mounted as "noexec". Fixed #149 correctly. + See https://github.com/voidlinux/xbps/issues/149 + * xbps-query(1): fix a bug where the output of -o became mixed up when running on multiple cores. diff --git a/lib/package_script.c b/lib/package_script.c index 690301cf..d44a7cd2 100644 --- a/lib/package_script.c +++ b/lib/package_script.c @@ -43,7 +43,6 @@ xbps_pkg_exec_buffer(struct xbps_handle *xhp, const char *tmpdir, *version; char *pkgname, *fpath; int fd, rv; - mode_t mask; assert(blob); assert(pkgver); @@ -72,15 +71,12 @@ xbps_pkg_exec_buffer(struct xbps_handle *xhp, } /* Create temp file to run script */ - mask = umask(S_IXUSR|S_IRWXG|S_IRWXO); if ((fd = mkstemp(fpath)) == -1) { - umask(mask); rv = errno; xbps_dbg_printf(xhp, "%s: mkstemp %s\n", __func__, strerror(errno)); goto out; } - umask(mask); /* write blob to our temp fd */ ret = write(fd, blob, blobsiz); if (ret == -1) { @@ -100,7 +96,7 @@ xbps_pkg_exec_buffer(struct xbps_handle *xhp, version = xbps_pkg_version(pkgver); assert(version); - rv = xbps_file_exec(xhp, fpath, action, pkgname, version, + rv = xbps_file_exec(xhp, "/bin/sh", fpath, action, pkgname, version, update ? "yes" : "no", "no", xhp->native_arch, NULL); free(pkgname);