build--sync: leave setting PATH to setuid wrappers

If the user configures more lenient settings for PATH in their setuid
tool of choice (e.g. sudo, opendoas), let them.
pull/1014/head
Alad Wenter 2 months ago
parent 595e24b6ea
commit 15876d5026
  1. 4
      lib/aur-build
  2. 94
      lib/aur-build--sync

@ -4,8 +4,6 @@
set -o errexit
shopt -s extglob
argv0=build
# Reset path when running elevated (#979)
[[ $UID == 0 ]] && PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
machine=$(uname -m)
startdir=$PWD
PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
@ -475,7 +473,7 @@ while IFS= read -ru "$fd" path; do
# Like `makepkg --syncdeps`, this affects the host and so uses the host
# pacman configuration. --pacman-conf (which may also point to
# a world-writeable file) is not applied.
sudo aur build--sync --repo "$db_name"
sudo aur build--sync "$db_name"
fi
done

@ -1,62 +1,32 @@
#!/bin/perl -T
# This script can be used in NOPASSWD rules (sudoers) or similar (doas/setuid
# wrappers) to upgrade packages in a local repository without password prompt.
# Use basic measures from perlsec(1perl) to limit security impact.
use strict;
use warnings;
use v5.20;
my $argv0 = 'build--sync';
# minimal path
$ENV{PATH} = "/bin:/usr/bin";
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
# option parsing
use Getopt::Long;
my $opt_repo; # tainted
GetOptions("d|repo=s" => \$opt_repo);
if (!length($opt_repo)) {
say STDERR "$argv0: repository not specified";
exit(1);
}
# limit valid characters for repository
if ($opt_repo =~ /^([-\@\w.]+)$/) {
$opt_repo = $1; # untainted
} else {
die "Bad data in '$opt_repo'";
}
# update pacman database
system 'pacsync', $opt_repo
and exit $? >> 8;
system 'pacsync', $opt_repo, '--dbext=.files'
and exit $? >> 8;
# verify if host packages can be upgraded from the local repository
my %targets;
my $pid = open(my $fh, "-|", 'pacman', '-Sup', '--print-format', '%r/%n');
if ($pid) { # parent
while (my $spec = <$fh>) {
chomp($spec);
my ($repo, $name) = split('/', $spec);
if ($repo eq $opt_repo) {
$targets{$spec} = 1; # untainted - we trust pacman output
}
};
waitpid($pid, 0);
exit(1) if $?;
}
if (scalar(keys %targets)) {
say STDERR "$argv0: upgrading packages in repository $opt_repo";
system 'pacman', '-S', '--noconfirm', keys %targets
and exit $? >> 8;
} else {
say STDERR 'there is nothing to do';
}
# vim: set et sw=4 sts=4 ft=perl:
#!/bin/bash
# build--sync - helper for upgrading local repository
set -e
[[ -v AUR_DEBUG ]] && set -o xtrace
argv0=build--sync
PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
if (( ! $# )); then
printf >&2 'error: repository not specified\n'
exit 1
fi
arg_repo=$1
pacsync "$arg_repo"
pacsync "$arg_repo" --dbext=.files
targets=()
while IFS='/' read -r repo name; do
if [[ $repo == "$arg_repo" ]]; then
targets+=("$name")
fi
done < <(
pacman -Sup --print-format '%r/%n'
)
wait $!
if (( ${#targets[@]} )); then
printf >&2 "%s: upgrading packages in repository '%s'\n" "$argv0" "$arg_repo"
pacman -S --noconfirm "${targets[@]}"
fi
# vim: set et sw=4 sts=4 ft=sh:

Loading…
Cancel
Save