New version of mock working (I think)
Clark Williams
williams at redhat.com
Fri Jun 23 15:42:37 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Enrico Scholz wrote:
> williams at redhat.com (Clark Williams) writes:
>
>> if os.path.exists(self.basedir):
>> cmd = '%s -rf %s' % (self.config['rm'], self.basedir)
>
> wouldn't it be better to do such things with native syscalls instead of
> invoking a command? You will never get this implemented race-free with
> shell commands.
>
>
Well, as an old-timey UNIX programmer, I was always taught (by even
older UNIX hackers) that you shouldn't use mount(2), that mount(8) is
preferred because all the corner-case logic for dealing with mount
points is encapsulated there; just use it. Perhaps that isn't the
case anymore and I'm just falling back on old habits. In any case it's
much easier from a code maintenance perspective to just delegate the
responsibility of mounting filesystems to mount(8).
What race condition(s) would we avoid by using mount(2)?
>>
>> def pack(self):
>> self.state('create cache')
>> self._ensure_dir(os.path.join(self.config['basedir'],
self.config['cache_topdir']))
>
> This seems to open an attack vector; attacker could create the
> cache_topdir (basedir is writable by mock group) and create e.g. a
> cache.tar -> /etc/nologin symlink.
>
> Perhaps it suffices to remove group write-permissions from basedir. The
> cleaner way would be to open the cache_file in a safe way and give only
> the fd to tar. (ditto for unpack).
>
>
With the change in managing uid/gids, I wonder if we even need the
mock group anymore? Currently we cycle between the users's real uid
and root (when a root action is required). I'm not sure we need to
setgid to mock any more.
>> self.debug("mounting proc in %s" % procdir)
>> - command = '%s -t proc proc %s/proc' % (self.config['mount'],
>> + command = '%s -n -t proc proc %s/proc' % (self.config['mount'],
>> self.rootdir)
>
> See below...
>
>> track.flush()
>>
>> if retval != 0:
>> @@ -427,9 +459,9 @@
>> devptsdir = os.path.join(self.rootdir, 'dev/pts')
>
> When you are about to increase security, you should fix such beginner
> errors too. 'chroot' does not mean "prepend a path", but "change /".
Well, we have to prepend a path, since these mounts are occurring
before we chroot. What would you suggest as an alternative?
>
>
>> self._ensure_dir(devptsdir)
>> self.debug("mounting devpts in %s" % devptsdir)
>> - command = '%s -t devpts devpts %s' % (self.config['mount'],
devptsdir)
>> + command = '%s -n -t devpts devpts %s' %
(self.config['mount'], devptsdir)
>
> There is no reason to do this kind of mounting with the mount(8) shell
> command. mount(2) is a much better (and easier) way.
>
I disagree that it's easier to mount with mount(2). Are you suggesting
that it's less code than the above two lines (format and os.system)?
>
>> item = '%s/%s' % (self.rootdir, path)
>> command = '%s %s' % (self.config['umount'], item)
>
> There is no reason for explicit unmounting. At least MNT_DETACH should
> be set at least. Your (deprecated) shell command should get a '-n' too.
>
>
No reason other than good programming practice perhaps.
Thanks for catching the -n.
>> + [ -d $(DESTDIR)/$(BINDIR) ] || \
>> + $(MKDIR) -p $(DESTDIR)/$(BINDIR)
>> + [ -d $(DESTDIR)/$(LIBDIR) ] || \
>> + $(MKDIR) -p $(DESTDIR)/$(LIBDIR)
>> + $(INSTALL) -o root -g $(MOCKGROUP) -m 4750 $(EXECUTABLE)
$(DESTDIR)/$(BINDIR)
> ~~~~~~~~~~~~~~~~~~~~~~~
>
> please do not do such things. rpm packagers will hate you for that.
>
>
Please do not do *what* things? Create directories? Use the install
utility?
Please elaborate your concern.
>> memset(env, '\0', sizeof(char *) * (3 + ALLOWED_ENV_SIZE));
>> env[0] = strdup(SAFE_PATH);
>
> plain assignment without strdup(3) suffices here. You could write
>
> | char const * env[ALLOWED_ENV_SIZE] = {
> | [0] = SAFE_PATH,
> | [1] = SAFE_HOME,
> | [2] = NSFLAG
> | };
>
> here.
>
>> // set up a new argv/argc
>> // new argv[0] will be "/usr/bin/python"
>> // new argv[1] will be "/usr/bin/mock.py"
>> // remainder of new argv will be old argv[1:n]
>> // allocate one extra for null at end
>> newargc = argc + 1;
>> newargvsz = sizeof(char *) * (newargc + 1);
>> newargv = malloc(newargvsz);
>
> why are you doing dynamic memory allocations here? Operating on stack is
> much cheaper.
>
Well, I'd say that this is a holdover from kernel programming where
you don't put things other than trivial variables on the stack.
Probably not an issue in user-space, but I'm not going to change it
for a one-time exec. Who cares if it's a couple of micro-seconds
faster to assign to the stack as opposed to allocating a page off the
heap and duping a few strings? It's done once then and then we exec
python.
>
>> if (newargv == NULL)
>> error("malloc of argument vector (%d bytes) failed!\n",
newargvsz);
>> memset(newargv, '\0', newargvsz);
>> newargv[0] = strdup(PYTHON_PATH);
>
> ditto; you are missing an error check here btw... (which would not be
> needed by a simple 'newargv[0] = PYTHON_PATH;').
>
Ah, I should have checked the strdup return. Busted...
Clark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEnAvsHyuj/+TTEp0RAtQ9AKDPOVMS525eT3bKrTYS36fnJADyvACff2xR
k76XCHVvjO4Ass30Sdgrj6s=
=mUTh
-----END PGP SIGNATURE-----
More information about the Fedora-buildsys-list
mailing list