r3622 - in jhalfs/branches/ablfs: . BLFS/xsl

pierre at linuxfromscratch.org pierre at linuxfromscratch.org
Mon Apr 9 03:17:34 PDT 2012


Author: pierre
Date: 2012-04-09 04:17:30 -0600 (Mon, 09 Apr 2012)
New Revision: 3622

Modified:
   jhalfs/branches/ablfs/BLFS/xsl/scripts.xsl
   jhalfs/branches/ablfs/README.BLFS
Log:
Change again the root commands, so that all control characters are escaped
Update the corresponding part in README.BLFS

Modified: jhalfs/branches/ablfs/BLFS/xsl/scripts.xsl
===================================================================
--- jhalfs/branches/ablfs/BLFS/xsl/scripts.xsl	2012-04-05 19:55:14 UTC (rev 3621)
+++ jhalfs/branches/ablfs/BLFS/xsl/scripts.xsl	2012-04-09 10:17:30 UTC (rev 3622)
@@ -436,9 +436,9 @@
       <xsl:choose>
         <xsl:when test="@role = 'root'">
           <xsl:if test="$sudo = 'y'">
-            <xsl:text>sudo sh << ROOT_EOF&#xA;</xsl:text>
+            <xsl:text>sudo -E sh << ROOT_EOF&#xA;</xsl:text>
           </xsl:if>
-          <xsl:apply-templates select="userinput" mode="root"/>
+          <xsl:apply-templates mode="root"/>
           <xsl:if test="$sudo = 'y'">
             <xsl:text>&#xA;ROOT_EOF</xsl:text>
           </xsl:if>
@@ -504,19 +504,10 @@
     <xsl:apply-templates/>
   </xsl:template>
 
-  <xsl:template match="userinput" mode="root">
-    <xsl:for-each select="child::node()">
-      <xsl:choose>
-        <xsl:when test="self::text()">
-          <xsl:call-template name="output-root">
-            <xsl:with-param name="out-string" select="string()"/>
-          </xsl:call-template>
-        </xsl:when>
-        <xsl:otherwise>
-          <xsl:apply-templates select="self::node()"/>
-        </xsl:otherwise>
-      </xsl:choose>
-    </xsl:for-each>
+  <xsl:template match="text()" mode="root">
+    <xsl:call-template name="output-root">
+      <xsl:with-param name="out-string" select="string()"/>
+    </xsl:call-template>
   </xsl:template>
 
   <xsl:template name="output-root">
@@ -533,6 +524,17 @@
                           select="substring-after($out-string,'make')"/>
         </xsl:call-template>
       </xsl:when>
+      <xsl:when test="contains($out-string,'$') and $sudo = 'y'">
+        <xsl:call-template name="output-root">
+          <xsl:with-param name="out-string"
+                          select="substring-before($out-string,'$')"/>
+        </xsl:call-template>
+        <xsl:text>\$</xsl:text>
+        <xsl:call-template name="output-root">
+          <xsl:with-param name="out-string"
+                          select="substring-after($out-string,'$')"/>
+        </xsl:call-template>
+      </xsl:when>
       <xsl:when test="contains($out-string,'`') and $sudo = 'y'">
         <xsl:call-template name="output-root">
           <xsl:with-param name="out-string"
@@ -567,4 +569,10 @@
         <xsl:text>EDITME**</xsl:text>
   </xsl:template>
 
+  <xsl:template match="replaceable" mode="root">
+        <xsl:text>**EDITME</xsl:text>
+        <xsl:apply-templates/>
+        <xsl:text>EDITME**</xsl:text>
+  </xsl:template>
+
 </xsl:stylesheet>

Modified: jhalfs/branches/ablfs/README.BLFS
===================================================================
--- jhalfs/branches/ablfs/README.BLFS	2012-04-05 19:55:14 UTC (rev 3621)
+++ jhalfs/branches/ablfs/README.BLFS	2012-04-09 10:17:30 UTC (rev 3622)
@@ -273,14 +273,20 @@
         If building as a normal user (the default setting), be sure that all
      commands that require root privileges are run using sudo. Also make sure
      necessary root privilege commands are visible in your PATH. Or use
-     the `Defaults secure_path=' in /etc/sudoers. Also, the scripts use a
-     fragile construct:
-       sudo bash -c '<commands to be executed as root>'
-     which fail if the commands to be executed contain themselves a ' or access
-     a bash variable $XXX. So carefully review them. When you want to use
-     environment variables, it is sometimes better to replace simple quotes
-     with double quotes, but beware the construct is even more fragile.
-     Carefully check it...
+     the `Defaults secure_path=' in /etc/sudoers.
+        For commands necessitating root privileges, the generated scripts wrap
+     them with the construct:
+       sudo -E sh << ROOT_EOF
+         <commands to be executed as root with `$', ``', and `\' escaped>
+       ROOT_EOF
+     The -E switch ensures the whole environment is passed to the
+     commands to be run with root privileges. It is effective only if the
+     /etc/sudoers file contains `Defaults setenv', or SETENV in the user
+     attributes. If you think it is a security issue, you may forbid this
+     flag in /etc/sudoers, but then, you have to un-escape `$' for variables
+     coming from the environment in the instructions.
+        Although this construct is rather strong, it can fail in some corner
+     cases, so carefully review those instructions.
 
         Due to book layout issues, some sudo commands may be missing.
 




More information about the alfs-log mailing list