[Yum-devel] [PATCH 2/2] Preload packages from user cachedirs

tim.lauridsen at gmail.com tim.lauridsen at gmail.com
Mon Sep 10 16:57:48 UTC 2012


On Mon, Sep 10, 2012 at 3:51 PM, Zdeněk Pavlas <zpavlas at redhat.com> wrote:

> ---
>  yum/__init__.py |   19 +++++++++++++++++++
>  1 files changed, 19 insertions(+), 0 deletions(-)
>
> diff --git a/yum/__init__.py b/yum/__init__.py
> index d53db6d..dd56399 100644
> --- a/yum/__init__.py
> +++ b/yum/__init__.py
> @@ -44,6 +44,7 @@ import logging
>  import logging.config
>  import operator
>  import tempfile
> +import shutil
>
>  import yum.i18n
>  # This is required to make gaftonmode work...
> @@ -2220,6 +2221,24 @@ much more problems).
>          # nothing *sigh*.
>          self.history.close()
>
> +        # Preload RPMs from user cache.
> +        for po in pkglist:
> +            if hasattr(po, 'pkgtype') and po.pkgtype == 'local':
> +                continue
> +            local = po.localPkg()
> +            if not os.path.exists(local):
> +                suffix = '/%s/packages/%s' % (po.repo.id,
> os.path.basename(po.remote_path))
> +                for user in getattr(self, '_preload_from_user', ()):
> +                    user += suffix
> +                    st = misc.stat_f(user)
> +                    if st and st.st_size == po.size:
> +                        try:
> +                            shutil.copy2(user, local) # user-writable,
> must copy
> +                            if po.verifyLocalPkg():
> +                                break
> +                        except IOError: pass
> +                        misc.unlink_f(local)
> +
>          self.plugins.run('predownload', pkglist=pkglist)
>          repo_cached = False
>          remote_pkgs = []
> --
> 1.7.4.4
>
> _______________________________________________
> Yum-devel mailing list
> Yum-devel at lists.baseurl.org
> http://lists.baseurl.org/mailman/listinfo/yum-devel
>


No problem with the code, but is this safe to just copy packages from a
unpriv user tmp directory from a security point of view ?
Can it be used for injection of infected packages from a unpriv user ?

Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.baseurl.org/pipermail/yum-devel/attachments/20120910/44057381/attachment.html>


More information about the Yum-devel mailing list