[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] tools: Use -s for python shebangs



commit 9c0061825143716c61622966e76983886ef59361
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Mar 14 10:53:51 2023 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Mar 17 10:44:16 2023 +0000

    tools: Use -s for python shebangs
    
    This is mandated by the Fedora packaging guidelines because it is a security
    vulnerability otherwise in suid scripts.  While Xen doesn't have suid 
scripts,
    it's a very good idea generally because it prevents the users local python
    environment interfering from system packaged scripts.
    
    pygrub is the odd-script-out, being installed by distutils rather than
    manually with INSTALL_PYTHON_PROG.  distutils has no nice way of editing the
    shebang, so arrange to use INSTALL_PYTHON_PROG for pygrub too.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Acked-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
---
 tools/Rules.mk        | 2 +-
 tools/pygrub/Makefile | 4 +++-
 tools/pygrub/setup.py | 1 -
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/tools/Rules.mk b/tools/Rules.mk
index 6e135387bd..18cf83f5be 100644
--- a/tools/Rules.mk
+++ b/tools/Rules.mk
@@ -179,7 +179,7 @@ CFLAGS += $(CFLAGS-y)
 CFLAGS += $(EXTRA_CFLAGS_XEN_TOOLS)
 
 INSTALL_PYTHON_PROG = \
-       $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH)" $(INSTALL_PROG)
+       $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH) -s" 
$(INSTALL_PROG)
 
 %.opic: %.c
        $(CC) $(CPPFLAGS) -DPIC $(CFLAGS) $(CFLAGS_$*.opic) -fPIC -c -o $@ $< 
$(APPEND_CFLAGS)
diff --git a/tools/pygrub/Makefile b/tools/pygrub/Makefile
index 29ad051321..4963bc89c6 100644
--- a/tools/pygrub/Makefile
+++ b/tools/pygrub/Makefile
@@ -18,8 +18,10 @@ build:
 .PHONY: install
 install: all
        $(INSTALL_DIR) $(DESTDIR)/$(bindir)
+       $(INSTALL_DIR) $(DESTDIR)/$(LIBEXEC_BIN)
        $(setup.py) install --record $(INSTALL_LOG) $(PYTHON_PREFIX_ARG) \
-               --root="$(DESTDIR)" --install-scripts=$(LIBEXEC_BIN) --force
+               --root="$(DESTDIR)" --force
+       $(INSTALL_PYTHON_PROG) src/pygrub $(DESTDIR)/$(LIBEXEC_BIN)/pygrub
        set -e; if [ $(bindir) != $(LIBEXEC_BIN) -a \
                     "`readlink -f $(DESTDIR)/$(bindir)`" != \
                     "`readlink -f $(LIBEXEC_BIN)`" ]; then \
diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py
index 0e4e3d02d3..502aa4df2d 100644
--- a/tools/pygrub/setup.py
+++ b/tools/pygrub/setup.py
@@ -23,7 +23,6 @@ setup(name='pygrub',
       author_email='katzj@xxxxxxxxxx',
       license='GPL',
       package_dir={'grub': 'src', 'fsimage': 'src'},
-      scripts = ["src/pygrub"],
       packages=pkgs,
       ext_modules = [ xenfsimage ]
       )
--
generated by git-patchbot for /home/xen/git/xen.git#master



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.