Changeset f53dc4c

Timestamp:

04/09/2012 10:17:30 AM (12 years ago)

Author:

Pierre Labastie <pierre@…>

Branches:

ablfs

Children:

d721466

Parents:

d6f2ebf

Message:

Change again the root commands, so that all control characters are escaped
Update the corresponding part in README.BLFS

Files:

• BLFS/xsl/scripts.xsl (modified) (4 diffs)
• README.BLFS (modified) (1 diff)

BLFS/xsl/scripts.xsl

@@ -437 +437 @@
         <xsl:when test="@role = 'root'">
           <xsl:if test="$sudo = 'y'">
-            <xsl:text>sudo sh &lt;&lt; ROOT_EOF&#xA;</xsl:text>
+            <xsl:text>sudo -E sh &lt;&lt; ROOT_EOF&#xA;</xsl:text>
           </xsl:if>
-          <xsl:apply-templates select="userinput" mode="root"/>
+          <xsl:apply-templates mode="root"/>
           <xsl:if test="$sudo = 'y'">
             <xsl:text>&#xA;ROOT_EOF</xsl:text>
@@ -505 +505 @@
   </xsl:template>
 
-  <xsl:template match="userinput" mode="root">
-    <xsl:for-each select="child::node()">
-      <xsl:choose>
-        <xsl:when test="self::text()">
-          <xsl:call-template name="output-root">
-            <xsl:with-param name="out-string" select="string()"/>
-          </xsl:call-template>
-        </xsl:when>
-        <xsl:otherwise>
-          <xsl:apply-templates select="self::node()"/>
-        </xsl:otherwise>
-      </xsl:choose>
-    </xsl:for-each>
+  <xsl:template match="text()" mode="root">
+    <xsl:call-template name="output-root">
+      <xsl:with-param name="out-string" select="string()"/>
+    </xsl:call-template>
   </xsl:template>
 
@@ -532 +523 @@
           <xsl:with-param name="out-string"
                           select="substring-after($out-string,'make')"/>
+        </xsl:call-template>
+      </xsl:when>
+      <xsl:when test="contains($out-string,'$') and $sudo = 'y'">
+        <xsl:call-template name="output-root">
+          <xsl:with-param name="out-string"
+                          select="substring-before($out-string,'$')"/>
+        </xsl:call-template>
+        <xsl:text>\$</xsl:text>
+        <xsl:call-template name="output-root">
+          <xsl:with-param name="out-string"
+                          select="substring-after($out-string,'$')"/>
         </xsl:call-template>
       </xsl:when>
@@ -568 +570 @@
   </xsl:template>
 
+  <xsl:template match="replaceable" mode="root">
+        <xsl:text>**EDITME</xsl:text>
+        <xsl:apply-templates/>
+        <xsl:text>EDITME**</xsl:text>
+  </xsl:template>
+
 </xsl:stylesheet>

README.BLFS

@@ -274 +274 @@
      commands that require root privileges are run using sudo. Also make sure
      necessary root privilege commands are visible in your PATH. Or use
-     the `Defaults secure_path=' in /etc/sudoers. Also, the scripts use a
-     fragile construct:
-       sudo bash -c '<commands to be executed as root>'
-     which fail if the commands to be executed contain themselves a ' or access
-     a bash variable $XXX. So carefully review them. When you want to use
-     environment variables, it is sometimes better to replace simple quotes
-     with double quotes, but beware the construct is even more fragile.
-     Carefully check it...
+     the `Defaults secure_path=' in /etc/sudoers.
+        For commands necessitating root privileges, the generated scripts wrap
+     them with the construct:
+       sudo -E sh << ROOT_EOF
+         <commands to be executed as root with `$', ``', and `\' escaped>
+       ROOT_EOF
+     The -E switch ensures the whole environment is passed to the
+     commands to be run with root privileges. It is effective only if the
+     /etc/sudoers file contains `Defaults setenv', or SETENV in the user
+     attributes. If you think it is a security issue, you may forbid this
+     flag in /etc/sudoers, but then, you have to un-escape `$' for variables
+     coming from the environment in the instructions.
+        Although this construct is rather strong, it can fail in some corner
+     cases, so carefully review those instructions.
 
         Due to book layout issues, some sudo commands may be missing.