[arch-dev-public] Useful scripts

Jason Chu jason at archlinux.org
Tue Jul 31 19:53:12 EDT 2007

On Wed, Aug 01, 2007 at 12:41:35AM +0100, Andrew Fyfe wrote:
> Jason Chu wrote:
> >> Note of warning!!  Do not use these scripts on any PKGBUILDs you don't
> >> trust!  They source every PKGBUILD to obtain the information - if a
> >> single PKGBUILD has rm -rf ~ you'd lose your home directory.  You've
> >> been warned. ;)  (of course you could run it in a sandbox as well, but
> >> yeah.)
> > 
> > The new way I parse PKGBUILDs in namcap really rocks for not trusting
> > PKGBUILDs.  Apparently bash has a --restricted mode.  You have to override
> > the PATH variable to make sure they can't execute any commands, but that's
> > about it.
> > 
> > http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=04266d561625cf014a7b3c87a76e2c6063fc82d7
> > 
> > This script basically outputs a PKGBUILD in db format.
> > 
> Are you sure 'source $1' works with --restricted mode? it doesn't for me.

What do you mean?  You tried the script and it doesn't work on your
machine?  That's weird because I've had a number of people use it with no

> If you wanted to be really paranoid you could use
> TMPDIR=$(mktemp -d /tmp/parsepkgbuild.XXXXXX)
> PKGBUILD=$(readlink -f "$1")
> cd "$TMPDIR"
> # Start a bash shell with a clean environment.
> env -i \
>          /bin/bash --noprofile --norc << EOF
> # Make PATH readonly to stop the PKGBUILD from changing it
> readonly PATH
> source "$PKGBUILD"
> ...

True... I'll probably end up using parts of that.  Might as well give the
PKGBUILD a clean environment ;)

Except that doesn't that still let the user execute programs in any other
directory (/usr/bin/rm) and also cd to any other directory?  Those were two
things that I really relied on --restricted to help with.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/arch-dev-public/attachments/20070731/6a05bd07/attachment.pgp>

More information about the arch-dev-public mailing list