git.saurik.com Git - apt.git/commit - apt-pkg/acquire-item.cc

author	David Kalnischkies <david@kalnischkies.de>
	Mon, 6 Oct 2014 12:29:53 +0000 (14:29 +0200)
committer	David Kalnischkies <david@kalnischkies.de>
	Mon, 6 Oct 2014 23:59:49 +0000 (01:59 +0200)
commit	5684f71fa0f6c1b765aa53e22ca3b024c578b9c9
tree	254ce22743ac9c457268bacba6a8e504bd5174cb	tree \| snapshot
parent	04a54261afd1c99686109f102afc83346c01c930	commit \| diff

use _apt:root only for partial directories

Using a different user for calling methods is intended to protect us
from methods running amok (via remotely exploited bugs) by limiting what
can be done by them. By using root:root for the final directories and
just have the files in partial writeable by the methods we enhance this
in sofar as a method can't modify already verified data in its parent
directory anymore.

As a side effect, this also clears most of the problems you could have
if the final directories are shared without user-sharing or if these
directories disappear as they are now again root owned and only the
partial directories contain _apt owned files (usually none if apt isn't
running) and the directory itself is autocreated with the right
permissions.

apt-pkg/acquire-item.cc		diff \| blob \| blame \| history
apt-pkg/acquire-item.h		diff \| blob \| blame \| history
apt-pkg/acquire-worker.cc		diff \| blob \| blame \| history
debian/apt.postinst		diff \| blob \| blame \| history
test/integration/framework		diff \| blob \| blame \| history
test/integration/test-apt-get-download		diff \| blob \| blame \| history
test/integration/test-apt-update-unauth		diff \| blob \| blame \| history