Tweak depcache permission handling so egencache can be run by a user who's
authorZac Medico <zmedico@gentoo.org>
Sun, 21 Jun 2009 22:01:50 +0000 (22:01 -0000)
committerZac Medico <zmedico@gentoo.org>
Sun, 21 Jun 2009 22:01:50 +0000 (22:01 -0000)
not in the portage group, allowing for better privilege isolation.

svn path=/main/trunk/; revision=13660

pym/portage/cache/fs_template.py
pym/portage/cache/sqlite.py
pym/portage/dbapi/porttree.py

index f3dc0ce44441876d5f57b887cd31b4a5b7c66013..ee8964e7085dbdc8485bdda363655eaa0876950b 100644 (file)
@@ -17,7 +17,7 @@ class FsBased(template.database):
                gid=portage_gid
                perms=0665"""
 
-               for x,y in (("gid",portage_gid),("perms",0664)):
+               for x, y in (("gid", -1), ("perms", -1)):
                        if x in config:
                                setattr(self, "_"+x, config[x])
                                del config[x]
@@ -34,8 +34,10 @@ class FsBased(template.database):
                """returns true or false if it's able to ensure that path is properly chmod'd and chowned.
                if mtime is specified, attempts to ensure that's correct also"""
                try:
-                       os.chown(path, -1, self._gid)
-                       os.chmod(path, self._perms)
+                       if self._gid != -1:
+                               os.chown(path, -1, self._gid)
+                       if self._perms != -1:
+                               os.chmod(path, self._perms)
                        if mtime != -1:
                                mtime=long(mtime)
                                os.utime(path, (mtime, mtime))
@@ -55,12 +57,19 @@ class FsBased(template.database):
                for dir in path.lstrip(os.path.sep).rstrip(os.path.sep).split(os.path.sep):
                        base = os.path.join(base,dir)
                        if not os.path.exists(base):
-                               um=os.umask(0)
+                               if self._perms != -1:
+                                       um = os.umask(0)
                                try:
-                                       os.mkdir(base, self._perms | 0111)
-                                       os.chown(base, -1, self._gid)
+                                       perms = self._perms
+                                       if perms == -1:
+                                               perms = 0
+                                       perms |= 0755
+                                       os.mkdir(base, perms)
+                                       if self._gid != -1:
+                                               os.chown(base, -1, self._gid)
                                finally:
-                                       os.umask(um)
+                                       if self._perms != -1:
+                                               os.umask(um)
 
        
 def gen_label(base, label):
index ea77391c7ee56b527c1b16cb8a9073fc4e4f5021..5657617b373f8ab266693812d99cf27649c9844f 100644 (file)
@@ -62,7 +62,7 @@ class database(fs_template.FsBased):
                                database=self._dbpath, **connection_kwargs)
                        self._db_cursor = self._db_connection.cursor()
                        self._db_cursor.execute("PRAGMA encoding = %s" % self._db_escape_string("UTF-8"))
-                       if not apply_secpass_permissions(self._dbpath, gid=portage_gid, mode=070, mask=02):
+                       if not self._ensure_access(self._dbpath):
                                raise cache_errors.InitializationError(self.__class__, "can't ensure perms on %s" % self._dbpath)
                        self._db_init_cache_size(config["cache_bytes"])
                        self._db_init_synchronous(config["synchronous"])
index 0cdb36591f88c5374dad21a9318929ff15394e16..ff16a9441d3dac9eb3394c2b30f8a93cdb227fe3 100644 (file)
@@ -295,12 +295,23 @@ class portdbapi(dbapi):
                self.auxdb = {}
                self._pregen_auxdb = {}
                self._init_cache_dirs()
+               depcachedir_w_ok = os.access(self.depcachedir, os.W_OK)
+               cache_kwargs = {
+                       'gid'     : portage_gid,
+                       'perms'   : 0664
+               }
+
+               if secpass < 1:
+                       # portage_gid is irrelevant, so just obey umask
+                       cache_kwargs['gid']   = -1
+                       cache_kwargs['perms'] = -1
+
                # XXX: REMOVE THIS ONCE UNUSED_0 IS YANKED FROM auxdbkeys
                # ~harring
                filtered_auxdbkeys = filter(lambda x: not x.startswith("UNUSED_0"), auxdbkeys)
                filtered_auxdbkeys.sort()
                from portage.cache import metadata_overlay, volatile
-               if secpass < 1:
+               if not depcachedir_w_ok:
                        for x in self.porttrees:
                                db_ro = self.auxdbmodule(self.depcachedir, x,
                                        filtered_auxdbkeys, gid=portage_gid, readonly=True)
@@ -314,7 +325,7 @@ class portdbapi(dbapi):
                                        continue
                                # location, label, auxdbkeys
                                self.auxdb[x] = self.auxdbmodule(
-                                       self.depcachedir, x, filtered_auxdbkeys, gid=portage_gid)
+                                       self.depcachedir, x, filtered_auxdbkeys, **cache_kwargs)
                                if self.auxdbmodule is metadata_overlay.database:
                                        self.auxdb[x].db_ro.ec = self._repo_info[x].eclass_db
                if "metadata-transfer" not in self.mysettings.features: