Change again the root commands, so that all control characters are escaped
Update the corresponding part in README.BLFS
This commit is contained in:
Pierre Labastie
parent
d6f2ebfaae
commit
f53dc4cf43
2 changed files with 37 additions and 23 deletions
|
|
@ -436,9 +436,9 @@ fi
|
||||||
<xsl:choose>
|
<xsl:choose>
|
||||||
<xsl:when test="@role = 'root'">
|
<xsl:when test="@role = 'root'">
|
||||||
<xsl:if test="$sudo = 'y'">
|
<xsl:if test="$sudo = 'y'">
|
||||||
<xsl:text>sudo sh << ROOT_EOF
</xsl:text>
|
<xsl:text>sudo -E sh << ROOT_EOF
</xsl:text>
|
||||||
</xsl:if>
|
</xsl:if>
|
||||||
<xsl:apply-templates select="userinput" mode="root"/>
|
<xsl:apply-templates mode="root"/>
|
||||||
<xsl:if test="$sudo = 'y'">
|
<xsl:if test="$sudo = 'y'">
|
||||||
<xsl:text>
ROOT_EOF</xsl:text>
|
<xsl:text>
ROOT_EOF</xsl:text>
|
||||||
</xsl:if>
|
</xsl:if>
|
||||||
|
|
@ -504,19 +504,10 @@ popd</xsl:text>
|
||||||
<xsl:apply-templates/>
|
<xsl:apply-templates/>
|
||||||
</xsl:template>
|
</xsl:template>
|
||||||
|
|
||||||
<xsl:template match="userinput" mode="root">
|
<xsl:template match="text()" mode="root">
|
||||||
<xsl:for-each select="child::node()">
|
<xsl:call-template name="output-root">
|
||||||
<xsl:choose>
|
<xsl:with-param name="out-string" select="string()"/>
|
||||||
<xsl:when test="self::text()">
|
</xsl:call-template>
|
||||||
<xsl:call-template name="output-root">
|
|
||||||
<xsl:with-param name="out-string" select="string()"/>
|
|
||||||
</xsl:call-template>
|
|
||||||
</xsl:when>
|
|
||||||
<xsl:otherwise>
|
|
||||||
<xsl:apply-templates select="self::node()"/>
|
|
||||||
</xsl:otherwise>
|
|
||||||
</xsl:choose>
|
|
||||||
</xsl:for-each>
|
|
||||||
</xsl:template>
|
</xsl:template>
|
||||||
|
|
||||||
<xsl:template name="output-root">
|
<xsl:template name="output-root">
|
||||||
|
|
@ -533,6 +524,17 @@ popd</xsl:text>
|
||||||
select="substring-after($out-string,'make')"/>
|
select="substring-after($out-string,'make')"/>
|
||||||
</xsl:call-template>
|
</xsl:call-template>
|
||||||
</xsl:when>
|
</xsl:when>
|
||||||
|
<xsl:when test="contains($out-string,'$') and $sudo = 'y'">
|
||||||
|
<xsl:call-template name="output-root">
|
||||||
|
<xsl:with-param name="out-string"
|
||||||
|
select="substring-before($out-string,'$')"/>
|
||||||
|
</xsl:call-template>
|
||||||
|
<xsl:text>\$</xsl:text>
|
||||||
|
<xsl:call-template name="output-root">
|
||||||
|
<xsl:with-param name="out-string"
|
||||||
|
select="substring-after($out-string,'$')"/>
|
||||||
|
</xsl:call-template>
|
||||||
|
</xsl:when>
|
||||||
<xsl:when test="contains($out-string,'`') and $sudo = 'y'">
|
<xsl:when test="contains($out-string,'`') and $sudo = 'y'">
|
||||||
<xsl:call-template name="output-root">
|
<xsl:call-template name="output-root">
|
||||||
<xsl:with-param name="out-string"
|
<xsl:with-param name="out-string"
|
||||||
|
|
@ -567,4 +569,10 @@ popd</xsl:text>
|
||||||
<xsl:text>EDITME**</xsl:text>
|
<xsl:text>EDITME**</xsl:text>
|
||||||
</xsl:template>
|
</xsl:template>
|
||||||
|
|
||||||
|
<xsl:template match="replaceable" mode="root">
|
||||||
|
<xsl:text>**EDITME</xsl:text>
|
||||||
|
<xsl:apply-templates/>
|
||||||
|
<xsl:text>EDITME**</xsl:text>
|
||||||
|
</xsl:template>
|
||||||
|
|
||||||
</xsl:stylesheet>
|
</xsl:stylesheet>
|
||||||
|
|
|
||||||
22
README.BLFS
22
README.BLFS
|
|
@ -273,14 +273,20 @@ $Id$
|
||||||
If building as a normal user (the default setting), be sure that all
|
If building as a normal user (the default setting), be sure that all
|
||||||
commands that require root privileges are run using sudo. Also make sure
|
commands that require root privileges are run using sudo. Also make sure
|
||||||
necessary root privilege commands are visible in your PATH. Or use
|
necessary root privilege commands are visible in your PATH. Or use
|
||||||
the `Defaults secure_path=' in /etc/sudoers. Also, the scripts use a
|
the `Defaults secure_path=' in /etc/sudoers.
|
||||||
fragile construct:
|
For commands necessitating root privileges, the generated scripts wrap
|
||||||
sudo bash -c '<commands to be executed as root>'
|
them with the construct:
|
||||||
which fail if the commands to be executed contain themselves a ' or access
|
sudo -E sh << ROOT_EOF
|
||||||
a bash variable $XXX. So carefully review them. When you want to use
|
<commands to be executed as root with `$', ``', and `\' escaped>
|
||||||
environment variables, it is sometimes better to replace simple quotes
|
ROOT_EOF
|
||||||
with double quotes, but beware the construct is even more fragile.
|
The -E switch ensures the whole environment is passed to the
|
||||||
Carefully check it...
|
commands to be run with root privileges. It is effective only if the
|
||||||
|
/etc/sudoers file contains `Defaults setenv', or SETENV in the user
|
||||||
|
attributes. If you think it is a security issue, you may forbid this
|
||||||
|
flag in /etc/sudoers, but then, you have to un-escape `$' for variables
|
||||||
|
coming from the environment in the instructions.
|
||||||
|
Although this construct is rather strong, it can fail in some corner
|
||||||
|
cases, so carefully review those instructions.
|
||||||
|
|
||||||
Due to book layout issues, some sudo commands may be missing.
|
Due to book layout issues, some sudo commands may be missing.
|
||||||
|
|
||||||
|
|
|
||||||
Reference in a new issue