[arch-dev-public] Useful scripts
Jason Chu
jason at archlinux.org
Tue Jul 31 19:53:12 EDT 2007
On Wed, Aug 01, 2007 at 12:41:35AM +0100, Andrew Fyfe wrote:
> Jason Chu wrote:
> >> Note of warning!! Do not use these scripts on any PKGBUILDs you don't
> >> trust! They source every PKGBUILD to obtain the information - if a
> >> single PKGBUILD has rm -rf ~ you'd lose your home directory. You've
> >> been warned. ;) (of course you could run it in a sandbox as well, but
> >> yeah.)
> >
> > The new way I parse PKGBUILDs in namcap really rocks for not trusting
> > PKGBUILDs. Apparently bash has a --restricted mode. You have to override
> > the PATH variable to make sure they can't execute any commands, but that's
> > about it.
> >
> > http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=04266d561625cf014a7b3c87a76e2c6063fc82d7
> >
> > This script basically outputs a PKGBUILD in db format.
> >
> Are you sure 'source $1' works with --restricted mode? it doesn't for me.
What do you mean? You tried the script and it doesn't work on your
machine? That's weird because I've had a number of people use it with no
problems...
> If you wanted to be really paranoid you could use
>
> TMPDIR=$(mktemp -d /tmp/parsepkgbuild.XXXXXX)
> PKGBUILD=$(readlink -f "$1")
>
> cd "$TMPDIR"
> # Start a bash shell with a clean environment.
> env -i \
> TERM=$TERM HOME=$TMPDIR PATH=$TMPDIR \
> CARCH=$CARCH PKGBUILD=$PKGBUILD \
> /bin/bash --noprofile --norc << EOF
> # Make PATH readonly to stop the PKGBUILD from changing it
> readonly PATH
>
> source "$PKGBUILD"
>
> ...
> EOF
True... I'll probably end up using parts of that. Might as well give the
PKGBUILD a clean environment ;)
Except that doesn't that still let the user execute programs in any other
directory (/usr/bin/rm) and also cd to any other directory? Those were two
things that I really relied on --restricted to help with.
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/arch-dev-public/attachments/20070731/6a05bd07/attachment.pgp>
More information about the arch-dev-public
mailing list