[arch-dev-public] Useful scripts

Jürgen Hötzel juergen at hoetzel.info
Wed Aug 1 11:53:21 EDT 2007


On Wed, Aug 01, 2007 at 12:41:35AM +0100, Andrew Fyfe wrote:
> Jason Chu wrote:
> >> Note of warning!!  Do not use these scripts on any PKGBUILDs you don't
> >> trust!  They source every PKGBUILD to obtain the information - if a
> >> single PKGBUILD has rm -rf ~ you'd lose your home directory.  You've
> >> been warned. ;)  (of course you could run it in a sandbox as well, but
> >> yeah.)
> > 
> > The new way I parse PKGBUILDs in namcap really rocks for not trusting
> > PKGBUILDs.  Apparently bash has a --restricted mode.  You have to override
> > the PATH variable to make sure they can't execute any commands, but that's
> > about it.
> > 
> > http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=04266d561625cf014a7b3c87a76e2c6063fc82d7
> > 
> > This script basically outputs a PKGBUILD in db format.
> > 
> Are you sure 'source $1' works with --restricted mode? it doesn't for me.
> 
> If you wanted to be really paranoid you could use
> 
> TMPDIR=$(mktemp -d /tmp/parsepkgbuild.XXXXXX)
> PKGBUILD=$(readlink -f "$1")
> 
> cd "$TMPDIR"
> # Start a bash shell with a clean environment.
> env -i \
>          TERM=$TERM HOME=$TMPDIR PATH=$TMPDIR \
>          CARCH=$CARCH PKGBUILD=$PKGBUILD \
>          /bin/bash --noprofile --norc << EOF
> # Make PATH readonly to stop the PKGBUILD from changing it
> readonly PATH
> 
> source "$PKGBUILD"

This doesn't protect from executing arbitrary commands in the PKGBUILD.

You can't use absolute PATHS in restricted mode. But you can change to the
PKGBUILD directory before parsing it and then executing a restricted shell
(resulting in a huge performance loss, because you need to spawn a shell
process for each PKGBUILD). Enclosed.

Jürgen
-------------- next part --------------
#!/bin/bash --restricted

unset depends makedepends
source PKGBUILD
for depfield in "makedepends[@]" "depends[@]"; do 
    for depend in ${!depfield}; do
	[[ ${depend%%[<>=]*} = "$1" ]] && echo $pkgname -- $depfield $depend
    done
done

-------------- next part --------------
#!/bin/bash 

if [[ "" = "$1" ]]; then 
    echo "Specify a package!" >&2 
    exit 1
fi

find . -name PKGBUILD -execdir grepdep-restricted $1 \;


More information about the arch-dev-public mailing list