zeroday0619/MahiroOS-jhalfs
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Change again the root commands, so that all control characters are escaped

Browse source 
Update the corresponding part in README.BLFS
This commit is contained in:
Pierre Labastie 2012-04-09 10:17:30 +00:00
parent d6f2ebfaae
commit f53dc4cf43
2 changed files with 37 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
BLFS/xsl/scripts.xsl
View file

@ -436,9 +436,9 @@ fi
<xsl:choose>
<xsl:when test="@role = 'root'">
<xsl:if test="$sudo = 'y'">
<xsl:text>sudo sh &lt;&lt; ROOT_EOF&#xA;</xsl:text>
<xsl:text>sudo -E sh &lt;&lt; ROOT_EOF&#xA;</xsl:text>
</xsl:if>
<xsl:apply-templates select="userinput" mode="root"/>
<xsl:apply-templates mode="root"/>
<xsl:if test="$sudo = 'y'">
<xsl:text>&#xA;ROOT_EOF</xsl:text>
</xsl:if>
@ -504,19 +504,10 @@ popd</xsl:text>
<xsl:apply-templates/>
</xsl:template>
<xsl:template match="userinput" mode="root">
<xsl:for-each select="child::node()">
<xsl:choose>
<xsl:when test="self::text()">
<xsl:call-template name="output-root">
<xsl:with-param name="out-string" select="string()"/>
</xsl:call-template>
</xsl:when>
<xsl:otherwise>
<xsl:apply-templates select="self::node()"/>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
<xsl:template match="text()" mode="root">
<xsl:call-template name="output-root">
<xsl:with-param name="out-string" select="string()"/>
</xsl:call-template>
</xsl:template>
<xsl:template name="output-root">
@ -533,6 +524,17 @@ popd</xsl:text>
select="substring-after($out-string,'make')"/>
</xsl:call-template>
</xsl:when>
<xsl:when test="contains($out-string,'$') and $sudo = 'y'">
<xsl:call-template name="output-root">
<xsl:with-param name="out-string"
select="substring-before($out-string,'$')"/>
</xsl:call-template>
<xsl:text>\$</xsl:text>
<xsl:call-template name="output-root">
<xsl:with-param name="out-string"
select="substring-after($out-string,'$')"/>
</xsl:call-template>
</xsl:when>
<xsl:when test="contains($out-string,'`') and $sudo = 'y'">
<xsl:call-template name="output-root">
<xsl:with-param name="out-string"
@ -567,4 +569,10 @@ popd</xsl:text>
<xsl:text>EDITME**</xsl:text>
</xsl:template>
<xsl:template match="replaceable" mode="root">
<xsl:text>**EDITME</xsl:text>
<xsl:apply-templates/>
<xsl:text>EDITME**</xsl:text>
</xsl:template>
</xsl:stylesheet>

22
README.BLFS
View file

@ -273,14 +273,20 @@ $Id$
If building as a normal user (the default setting), be sure that all
commands that require root privileges are run using sudo. Also make sure
necessary root privilege commands are visible in your PATH. Or use
the `Defaults secure_path=' in /etc/sudoers. Also, the scripts use a
fragile construct:
sudo bash -c '<commands to be executed as root>'
which fail if the commands to be executed contain themselves a ' or access
a bash variable $XXX. So carefully review them. When you want to use
environment variables, it is sometimes better to replace simple quotes
with double quotes, but beware the construct is even more fragile.
Carefully check it...
the `Defaults secure_path=' in /etc/sudoers.
For commands necessitating root privileges, the generated scripts wrap
them with the construct:
sudo -E sh << ROOT_EOF
<commands to be executed as root with `$', ``', and `\' escaped>
ROOT_EOF
The -E switch ensures the whole environment is passed to the
commands to be run with root privileges. It is effective only if the
/etc/sudoers file contains `Defaults setenv', or SETENV in the user
attributes. If you think it is a security issue, you may forbid this
flag in /etc/sudoers, but then, you have to un-escape `$' for variables
coming from the environment in the instructions.
Although this construct is rather strong, it can fail in some corner
cases, so carefully review those instructions.
Due to book layout issues, some sudo commands may be missing.