bonsai/kiss
3
0
Fork 0
forked from kiss-community/kiss
Code Issues 2 Pull Requests Projects Releases Activity

as_root(): Strict environment.

Browse Source 
Running a portion of the script as root will now use a stricter
environment. The root user will only inherit a small and fixed
white-list of environment variables.

- HOME/XDG_CACHE_HOME
  - To make use of the non-root user's package
    cache for the purposes of installation.

- KISS_PATH
  - To make use of the non-root user's set repositories
    during installation.

- KISS_FORCE
  - To carry over KISS_FORCE if passed as non-root.

The 'sudo' and 'su' commands were also changed to run as
"login shells". This allows environment variables to be set
solely for the root account (KISS_HOOK, etc) via '.profile' or
etc. As for 'doas', this has to happen via doas.conf.
This commit is contained in:
Dylan Araps 2020-05-18 10:29:25 +03:00
parent e711f76296
commit c55374a52b
No known key found for this signature in database
GPG Key ID: 46D62DD9F1DE636E
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
kiss
View File

@ -49,15 +49,18 @@ prompt() {
as_root() { as_root() {
# Simple function to run a command as root using either 'sudo', # Simple function to run a command as root using either 'sudo',
# 'doas' or 'su'. Hurrah for choice. # 'doas' or 'su'. Hurrah for choice.
[ "$uid" = 0 ] || { [ "$uid" = 0 ] || log "Using '${su:-su}' (to become ${user:=root})"
log "Using '${su:-su}' (to become ${user:=root})"
export KISS_AS_ROOT=1 # Add the following environment variables to the root environment
} # so that the non-root user's cache can be used. This is the
# portable method of doing so and works across all tools.
set -- env HOME="$HOME" XDG_CACHE_HOME="$XDG_CACHE_HOME" \
KISS_PATH="$KISS_PATH" KISS_FORCE="$KISS_FORCE" "$@"
case $su in case $su in
*sudo) sudo -E -u "$user" -- "$@" ;; *sudo) sudo -iu "$user" -- "$@" ;;
*doas) doas -u "$user" -- "$@" ;; *doas) doas -u "$user" -- "$@" ;;
*) su -pc "$* <&3" "$user" 3<&0 </dev/tty ;; *) su -lc "$* <&3" "$user" 3<&0 </dev/tty ;;
esac esac
} }
@ -72,15 +75,11 @@ _tar() {
} }
run_hook() { run_hook() {
# If we have elevated permissions from non-root to
# root, don't run the non-root user's KISS_HOOK.
[ "$KISS_AS_ROOT" != 1 ] || KISS_HOOK=/etc/kiss-hook
# Provide a default post-build hook to remove files # Provide a default post-build hook to remove files
# and directories for things we don't support out of # and directories for things we don't support out of
# the box. One can simply define their own hook to # the box. One can simply define their own hook to
# override this behavior. # override this behavior.
[ -f "${KISS_HOOK:-}" ] || { [ "${KISS_HOOK:-}" ] || {
case $1 in post-build) case $1 in post-build)
rm -rf "$3/usr/share/gettext" rm -rf "$3/usr/share/gettext"
rm -rf "$3/usr/share/polkit-1" rm -rf "$3/usr/share/polkit-1"