[arch-dev-public] [PATCH] makechrootpkg: Use the host's SRCDEST and PKGDEST if they are defined
aaronmgriffin at gmail.com
Thu Nov 5 12:03:29 EST 2009
On Thu, Nov 5, 2009 at 10:53 AM, Firmicus <Firmicus at gmx.net> wrote:
> Aaron Griffin wrote:
>> On Wed, Nov 4, 2009 at 8:02 PM, Eric Bélanger <snowmaniscool at gmail.com> wrote:
>>> Signed-off-by: Eric Bélanger <snowmaniscool at gmail.com>
>>> makechrootpkg | 3 +++
>>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>> diff --git a/makechrootpkg b/makechrootpkg
>>> index 5095425..d1dcf32 100755
>>> --- a/makechrootpkg
>>> +++ b/makechrootpkg
>>> @@ -150,6 +150,9 @@ if [ "$REPACK" != "1" ]; then
>>> rm -rf "$uniondir/build/"*
>>> +eval $(grep '^SRCDEST=' /etc/makepkg.conf)
>>> +eval $(grep '^PKGDEST=' /etc/makepkg.conf)
>>> [ -d "$uniondir/pkgdest" ] || mkdir "$uniondir/pkgdest"
>>> if ! grep "PKGDEST=/pkgdest" "$uniondir/etc/makepkg.conf" >/dev/null 2>&1; then
>>> echo "Setting PKGDEST in makepkg.conf"
>> The eval seems slightly dangerous to me... does anyone else have this
>> concern, or am I being too careful?
> I agree. It is more than "slightly" dangerous. If makepkg.conf contained
> a line such as:
> PKGDEST="blabla" && rm -rf /
> then the eval would indeed execute "rm -rf /". This is particularly bad
> since makechrootpkg is called with sudo ...
> Better look for a safer alternative. What about this?
> PKGDEST=$(source /etc/makepkg.conf && echo $PKGDEST)
> SRCDEST=$(source /etc/makepkg.conf && echo $SRCDEST)
> This is not very pretty as we need to source makepkg.conf twice, but at
> least it is safer.
> We could also do something like:
> ORIGDESTDIRS=$(source /etc/makepkg.conf && echo $PKGDEST $SRCDEST)
> PKGDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f1)
> SRCDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f2)
I was thinking more along the lines of:
Original: eval $(grep '^SRCDEST=' /etc/makepkg.conf)
SRCDEST=$(grep '^SRCDEST=' /etc/makepkg.conf | cut -d= -f2)
PKGDEST=$(grep '^PKGDEST=' /etc/makepkg.conf | cut -d= -f2)
More information about the arch-dev-public