From c6ee61eab54edf6cc3fbe118d304d72a860e1451 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 2 Sep 2014 15:50:19 +0200 Subject: Make Proxy-Auto-Detect check for each host When doing Acquire::http{,s}::Proxy-Auto-Detect, run the auto-detect command for each host instead of only once. This should make using "proxy" from libproxy-tools feasible which can then be used for PAC style or other proxy configurations. Closes: #759264 --- methods/https.cc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'methods/https.cc') diff --git a/methods/https.cc b/methods/https.cc index e0348ab58..0499af0c5 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -107,6 +108,9 @@ void HttpsMethod::SetupProxy() /*{{{*/ { URI ServerName = Queue->Uri; + // Determine the proxy setting + AutoDetectProxy(ServerName); + // Curl should never read proxy settings from the environment, as // we determine which proxy to use. Do this for consistency among // methods and prevent an environment variable overriding a -- cgit v1.2.3 From 3927c6da48c206b6b251661f44680d9883b4f6b4 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 24 Sep 2014 16:22:05 +0200 Subject: Drop Privileges to "Debian-apt" in most acquire methods Add a new "Debian-apt" user that owns the /var/lib/apt/lists and /var/cache/apt/archive directories. The methods http, https, ftp, gpgv, gzip switch to this user when they start. Thanks to Julian and "ioerror" and tors "switch_id()" code. --- apt-pkg/contrib/fileutl.cc | 34 +++++++++++++++++++++++++++++++++- debian/apt.postinst | 7 +++++++ methods/copy.cc | 2 ++ methods/ftp.cc | 3 +++ methods/gpgv.cc | 3 +++ methods/gzip.cc | 2 ++ methods/http_main.cc | 4 +++- methods/https.cc | 2 ++ 8 files changed, 55 insertions(+), 2 deletions(-) (limited to 'methods/https.cc') diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 6b8f04dea..de67a94b9 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -48,6 +48,7 @@ #include #include #include +#include #include #include @@ -64,6 +65,10 @@ #include #include +#if __gnu_linux__ +#include +#endif + #include /*}}}*/ @@ -2173,14 +2178,41 @@ bool DropPrivs() if (getuid() != 0) return true; - const std::string nobody = _config->Find("APT::User::Nobody", "nobody"); + if(_config->FindB("Debug::NoDropPrivs", false) == true) + return true; + + const std::string nobody = _config->Find("APT::User::Nobody", "Debian-apt"); struct passwd *pw = getpwnam(nobody.c_str()); if (pw == NULL) return _error->Warning("No user %s, can not drop rights", nobody.c_str()); + +#if __gnu_linux__ + // see prctl(2), needs linux3.5 + int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0,0, 0); + if(ret < 0) + _error->Warning("PR_SET_NO_NEW_PRIVS failed with %i", ret); +#endif + + if (setgroups(1, &pw->pw_gid) != 1) + return _error->Errno("setgroups", "Failed to setgroups"); + + if (setegid(pw->pw_gid) != 0) + return _error->Errno("setgid", "Failed to setgid"); if (setgid(pw->pw_gid) != 0) return _error->Errno("setgid", "Failed to setgid"); + if (setuid(pw->pw_uid) != 0) return _error->Errno("setuid", "Failed to setuid"); + // the seteuid() is probably uneeded (at least thats what the linux + // man-page says about setuid(2)) but we cargo culted it anyway + if (setuid(pw->pw_uid) != 0) + return _error->Errno("setuid", "Failed to setuid"); + + // be defensive + if(setgid(0) != -1 || setegid(0) != -1) + return _error->Error("Could restore gid to root, privilege dropping does not work"); + if(setuid(0) != -1 || seteuid(0) != -1) + return _error->Error("Could restore uid to root, privilege dropping does not work"); return true; } diff --git a/debian/apt.postinst b/debian/apt.postinst index fd3e273bb..08dc60f9c 100644 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -26,6 +26,13 @@ case "$1" in fi fi + # add unprivileged user for the apt methods + adduser --force-badname --system --no-create-home \ + --quiet Debian-apt || true + chown -R Debian-apt:root \ + /var/lib/apt/lists \ + /var/cache/apt/archives + # ensure tighter permissons on the logs, see LP: #975199 if dpkg --compare-versions "$2" lt-nl 0.9.7.7; then # ensure permissions are right diff --git a/methods/copy.cc b/methods/copy.cc index b78053d36..18d70e153 100644 --- a/methods/copy.cc +++ b/methods/copy.cc @@ -118,6 +118,8 @@ int main() { setlocale(LC_ALL, ""); + DropPrivs(); + CopyMethod Mth; return Mth.Run(); } diff --git a/methods/ftp.cc b/methods/ftp.cc index 66787a7be..9d58aa3b9 100644 --- a/methods/ftp.cc +++ b/methods/ftp.cc @@ -1107,6 +1107,9 @@ int main(int, const char *argv[]) { setlocale(LC_ALL, ""); + // no more active ftp, sorry + DropPrivs(); + /* See if we should be come the http client - we do this for http proxy urls */ if (getenv("ftp_proxy") != 0) diff --git a/methods/gpgv.cc b/methods/gpgv.cc index ae521a2ed..159417883 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -262,6 +263,8 @@ int main() { setlocale(LC_ALL, ""); + DropPrivs(); + GPGVMethod Mth; return Mth.Run(); diff --git a/methods/gzip.cc b/methods/gzip.cc index df3f8828f..518e58f82 100644 --- a/methods/gzip.cc +++ b/methods/gzip.cc @@ -135,6 +135,8 @@ int main(int, char *argv[]) { setlocale(LC_ALL, ""); + DropPrivs(); + Prog = strrchr(argv[0],'/'); ++Prog; diff --git a/methods/http_main.cc b/methods/http_main.cc index 3b346a514..788582632 100644 --- a/methods/http_main.cc +++ b/methods/http_main.cc @@ -1,5 +1,5 @@ #include - +#include #include #include "http.h" @@ -12,6 +12,8 @@ int main() // closes the connection (this is dealt with via ServerDie()) signal(SIGPIPE, SIG_IGN); + DropPrivs(); + HttpMethod Mth; return Mth.Loop(); } diff --git a/methods/https.cc b/methods/https.cc index 0499af0c5..a40f37710 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -443,6 +443,8 @@ int main() { setlocale(LC_ALL, ""); + DropPrivs(); + HttpsMethod Mth; curl_global_init(CURL_GLOBAL_SSL) ; -- cgit v1.2.3 From 7b18d5592fd5e0bb173e193d1e6693a66065f971 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 24 Sep 2014 21:49:19 +0200 Subject: methods: Fail if we cannot drop privileges --- apt-pkg/acquire-method.cc | 12 ++++++++++++ apt-pkg/acquire-method.h | 2 +- methods/copy.cc | 4 ++-- methods/ftp.cc | 6 +++--- methods/gpgv.cc | 4 ++-- methods/gzip.cc | 5 +++-- methods/http_main.cc | 4 ++-- methods/https.cc | 4 ++-- 8 files changed, 27 insertions(+), 14 deletions(-) (limited to 'methods/https.cc') diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc index e4a937d1d..82f2fb3ce 100644 --- a/apt-pkg/acquire-method.cc +++ b/apt-pkg/acquire-method.cc @@ -118,6 +118,18 @@ void pkgAcqMethod::Fail(string Err,bool Transient) std::cout << "\n" << std::flush; } + /*}}}*/ +// AcqMethod::DropPrivsOrDie - Drop privileges or die /*{{{*/ +// --------------------------------------------------------------------- +/* */ +void pkgAcqMethod::DropPrivsOrDie() +{ + if (!DropPrivs()) { + Fail(false); + exit(112); /* call the european emergency number */ + } +} + /*}}}*/ // AcqMethod::URIStart - Indicate a download is starting /*{{{*/ // --------------------------------------------------------------------- diff --git a/apt-pkg/acquire-method.h b/apt-pkg/acquire-method.h index cbf79f860..cdeecc9a7 100644 --- a/apt-pkg/acquire-method.h +++ b/apt-pkg/acquire-method.h @@ -105,7 +105,7 @@ class pkgAcqMethod pkgAcqMethod(const char *Ver,unsigned long Flags = 0); virtual ~pkgAcqMethod() {}; - + void DropPrivsOrDie(); private: APT_HIDDEN void Dequeue(); }; diff --git a/methods/copy.cc b/methods/copy.cc index 18d70e153..3883c822b 100644 --- a/methods/copy.cc +++ b/methods/copy.cc @@ -118,8 +118,8 @@ int main() { setlocale(LC_ALL, ""); - DropPrivs(); - CopyMethod Mth; + + Mth.DropPrivsOrDie(); return Mth.Run(); } diff --git a/methods/ftp.cc b/methods/ftp.cc index 9d58aa3b9..a658b5657 100644 --- a/methods/ftp.cc +++ b/methods/ftp.cc @@ -1107,9 +1107,6 @@ int main(int, const char *argv[]) { setlocale(LC_ALL, ""); - // no more active ftp, sorry - DropPrivs(); - /* See if we should be come the http client - we do this for http proxy urls */ if (getenv("ftp_proxy") != 0) @@ -1134,6 +1131,9 @@ int main(int, const char *argv[]) } FtpMethod Mth; + + // no more active ftp, sorry + Mth.DropPrivsOrDie(); return Mth.Run(); } diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 159417883..4071cbac6 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -262,10 +262,10 @@ bool GPGVMethod::Fetch(FetchItem *Itm) int main() { setlocale(LC_ALL, ""); - - DropPrivs(); GPGVMethod Mth; + Mth.DropPrivsOrDie(); + return Mth.Run(); } diff --git a/methods/gzip.cc b/methods/gzip.cc index 518e58f82..7ffcda60f 100644 --- a/methods/gzip.cc +++ b/methods/gzip.cc @@ -135,11 +135,12 @@ int main(int, char *argv[]) { setlocale(LC_ALL, ""); - DropPrivs(); - Prog = strrchr(argv[0],'/'); ++Prog; GzipMethod Mth; + + Mth.DropPrivsOrDie(); + return Mth.Run(); } diff --git a/methods/http_main.cc b/methods/http_main.cc index 788582632..d7724701a 100644 --- a/methods/http_main.cc +++ b/methods/http_main.cc @@ -12,8 +12,8 @@ int main() // closes the connection (this is dealt with via ServerDie()) signal(SIGPIPE, SIG_IGN); - DropPrivs(); - HttpMethod Mth; + + Mth.DropPrivsOrDie(); return Mth.Loop(); } diff --git a/methods/https.cc b/methods/https.cc index a40f37710..a74d2a38b 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -443,11 +443,11 @@ int main() { setlocale(LC_ALL, ""); - DropPrivs(); - HttpsMethod Mth; curl_global_init(CURL_GLOBAL_SSL) ; + Mth.DropPrivsOrDie(); + return Mth.Run(); } -- cgit v1.2.3