diff options
| author | Martin Whitaker <mageia@martin-whitaker.me.uk> | 2019-06-21 21:47:37 +0100 |
|---|---|---|
| committer | Martin Whitaker <mageia@martin-whitaker.me.uk> | 2019-06-21 22:02:44 +0100 |
| commit | f8c0d00fa23a094173dbe17ef4644f860f871f20 (patch) | |
| tree | 6775d8a64fdb02c0504982a7b0817cdf4725ada1 | |
| parent | 3d029f70096cefbba5836b49d5fde9bb613999cf (diff) | |
| download | urpmi-f8c0d00fa23a094173dbe17ef4644f860f871f20.tar urpmi-f8c0d00fa23a094173dbe17ef4644f860f871f20.tar.gz urpmi-f8c0d00fa23a094173dbe17ef4644f860f871f20.tar.bz2 urpmi-f8c0d00fa23a094173dbe17ef4644f860f871f20.tar.xz urpmi-f8c0d00fa23a094173dbe17ef4644f860f871f20.zip | |
Ensure urpmi config and cache files are world-readable (mga#24636)
This is needed to allow mgaapplet and urpm* commands run as a
normal user to work when run from a gdm-x-session, which sets
the umask to 027.
See also mga#9386 and mga#22262. We should perhaps take notice
of the msec security level.
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | urpm/media.pm | 16 | ||||
| -rw-r--r-- | urpm/util.pm | 15 |
3 files changed, 28 insertions, 5 deletions
@@ -1,3 +1,5 @@ +- ensure urpmi config and cache files are world-readable (mga#24636) + Version 8.116 - 27 May 2019 - don't enable 32-bit media by default on 64-bit systems (mga#24376) diff --git a/urpm/media.pm b/urpm/media.pm index cadfc173..52575ff0 100644 --- a/urpm/media.pm +++ b/urpm/media.pm @@ -551,12 +551,14 @@ sub write_urpmi_cfg { }; remove_passwords_and_write_private_netrc($urpm, $config); - # urpmi.cfg must be world-readable, else mgaapplet won't be able to read it - # as it is executed from the user session. We enforce umask here in the case - # where the msec security level is set to 'secure' (which means umask 077). - umask 0022; + #- urpmi.cfg must be world-readable, else mgaapplet and urpm* commands run as + #- a normal user won't be able to read it. We enforce umask here in the case + #- where the msec security level is set to 'secure' (which means umask 077) + #- or where we are run from a gdm-x-session (mga#24636) + my $old_umask = umask 0022; urpm::cfg::dump_config($urpm->{config}, $config) or $urpm->{fatal}(6, N("unable to write config file [%s]", $urpm->{config})); + umask $old_umask; $urpm->{log}(N("wrote config file [%s]", $urpm->{config})); @@ -972,12 +974,18 @@ sub add_medium { $medium->{$_} = $options{$_} if exists $options{$_}; } + #- The medium files must be world-readable, else mgaapplet and urpm* commands run + #- as a normal user won't be able to read them. We enforce umask here in the case + #- where the msec security level is set to 'secure' (which means umask 077) or + #- where we are run from a gdm-x-session (mga#24636) + my $old_umask = umask 0022; #- those files must not be there (cf mdvbz#36267) _clean_statedir_medium_files($urpm, $medium); if (!($options{virtual} && _local_file($medium)) && !$urpm->{urpmi_root}) { # with --urpmi-root, we do not use statedir_media_info_file to allow compatibility with older urpmi mkdir statedir_media_info_dir($urpm, $medium), 0755; } + umask $old_umask; if ($options{virtual}) { $medium->{virtual} = 1; diff --git a/urpm/util.pm b/urpm/util.pm index 4dbad1cc..563d3118 100644 --- a/urpm/util.pm +++ b/urpm/util.pm @@ -187,7 +187,20 @@ sub uniq_(&@) { sub output_safe { my ($file, $content, $o_backup_ext) = @_; - + + #- The file must be world-readable, else mgaapplet and urpm* commands run as + #- a normal user won't be able to read it. We enforce umask here in the case + #- where the msec security level is set to 'secure' (which means umask 077) + #- or where we are run from a gdm-x-session (mga#24636) + my $old_umask = umask 0022; + my $retval = output_safe_($file, $content, $o_backup_ext); + umask $old_umask; + $retval; +} + +sub output_safe_ { + my ($file, $content, $o_backup_ext) = @_; + open(my $f, '>', "$file.new") or return; print $f $content or return; close $f or return; |