Xen project Mailing List

[PATCH v2 5/7] tools: Use -s for python shebangs

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 16 Mar 2023 19:37:44 +0000

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "Anthony PERARD" <anthony.perard@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>

Delivery-date: Thu, 16 Mar 2023 19:38:15 +0000

Ironport-data: A9a23:0xki3aj4kE6ef2wZiLHY8unzX161fxAKZh0ujC45NGQN5FlHY01je htvW2+DM/vbN2LyeYx/OYzgpx9VvMPXxt41TFRspX8xEiob9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmYpHlUMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsy+qWi0N8klgZmP6sT5waAzyZ94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQXBwI/f0iawNmp66n4TbRT1+0PAu/SadZ3VnFIlVk1DN4jSJHHBa7L+cVZzHE7gcUm8fT2P pRDL2A1NVKZPkMJYw1MYH49tL7Aan3XWjtUsl+K44Ew5HDe1ldZ27nxKtvFPNeNQK25m27B/ jqboz2kU0xy2Nq3lT2340jwnMb2o3npBN0ZDb26371YjwjGroAUIEJPDgbqyRWjsWauVtQaJ 0EK9y4Gqakp6FftXtT7Rwe/onOPolgbQdU4O/I+wBGAzOzT+QnxLm0NVDtIctElnM4wWz0x1 1WNks/pBDpgq7mcQzSW8bL8kN+pEXFLdylYP3ZCFFZbpYC5++nfky4jUP5sP5yHn4XsXgrv6 CvJq3UB1pw/o+gygvDTEU/8vxqgoZ3ATwgQ7wrRX3644g4RWLNJd7BE+nCAs68ecd/xok2p+ SFdxpPAtLxm4YSlznTlfQkbIF2+Cx9p2hX4iEUnIZQu/i/FF5WLLdEJu2EWyKuE3685ld7Vj K374185CHx7ZiHCgUpLj2WZWqwXIVDIT4iNaxwtRoMmjmJNXAGG5jpyQkWbwnrglkMh+YlmZ 8jLIJf1XC9AVfo4pNZTewv6+e5D+8zD7TmLGcCTI+qPiNJym0J5uZ9aaQDTP4jVHYuPoRnP8 sY3CvZmPy53CbWkCgGOqN57ELz/BSRjbXwAg5ANJ7Hrz8sPMD1JNsI9Npt+JdY9w/wIyrmgE 7PUchYw9WcTTEbvcW2iAk2Popu2NXqjhRrX5RARAGs=

Ironport-hdrordr: A9a23:F+Qf9K5yglcXnd791gPXwbOBI+orL9Y04lQ7vn2ZhyYlFvBw9v re6MjzsCWe5gr5N0tBpTn+Atj+fZqxz/9ICOoqTMWftXfdyQmVxehZhOOJ/9SKIVycygcy79 YET0B0YOeAc2ST5azBjDVReLwbr+VuP8qT6Nv2/jNVaUVPVokl1gF+D2+gYzhLrMstP+tJKH JZjPA31AZJvB4sH7SG7wI+Lo/+juyOrovifRkFQzY/8WC1/EuVwY+/KQGcwhAdFxhSwbIumF K17zDR1+GYqvSmzR2Z8GfW4/1t6b3c4+oGPtWIls8WbhPzjQqyDb4RIoGqjXQOueSy71Rvqv ngyi1QRPhb2jfqZ2Sophmo4QX6zzo0zHfnxTaj8AHeiP28fis+F81Cwb1UaQHY7U1IhqAA7J 52

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

This is mandated by the Fedora packaging guidelines because it is a security vulnerability otherwise in suid scripts. While Xen doesn't have suid scripts, it's a very good idea generally, because it prevents the users local python environment interfering from system packaged scripts. pygrub is the odd-script-out, being installed by distutils rather than manually with INSTALL_PYTHON_PROG. distutils has no nice way of editing the shebang, so arrange to use INSTALL_PYTHON_PROG on pygrub too. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Wei Liu <wl@xxxxxxx> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> CC: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx> v2: * Remove accidental setuputils dependency. --- tools/Rules.mk | 2 +- tools/pygrub/Makefile | 4 +++- tools/pygrub/setup.py | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/Rules.mk b/tools/Rules.mk index 6e135387bd7e..18cf83f5be83 100644 --- a/tools/Rules.mk +++ b/tools/Rules.mk @@ -179,7 +179,7 @@ CFLAGS += $(CFLAGS-y) CFLAGS += $(EXTRA_CFLAGS_XEN_TOOLS) INSTALL_PYTHON_PROG = \ - $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH)" $(INSTALL_PROG) + $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH) -s" $(INSTALL_PROG) %.opic: %.c $(CC) $(CPPFLAGS) -DPIC $(CFLAGS) $(CFLAGS_$*.opic) -fPIC -c -o $@ $< $(APPEND_CFLAGS) diff --git a/tools/pygrub/Makefile b/tools/pygrub/Makefile index 29ad0513212f..4963bc89c6ed 100644 --- a/tools/pygrub/Makefile +++ b/tools/pygrub/Makefile @@ -18,8 +18,10 @@ build: .PHONY: install install: all $(INSTALL_DIR) $(DESTDIR)/$(bindir) + $(INSTALL_DIR) $(DESTDIR)/$(LIBEXEC_BIN) $(setup.py) install --record $(INSTALL_LOG) $(PYTHON_PREFIX_ARG) \ - --root="$(DESTDIR)" --install-scripts=$(LIBEXEC_BIN) --force + --root="$(DESTDIR)" --force + $(INSTALL_PYTHON_PROG) src/pygrub $(DESTDIR)/$(LIBEXEC_BIN)/pygrub set -e; if [ $(bindir) != $(LIBEXEC_BIN) -a \ "`readlink -f $(DESTDIR)/$(bindir)`" != \ "`readlink -f $(LIBEXEC_BIN)`" ]; then \ diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py index 0e4e3d02d372..502aa4df2dae 100644 --- a/tools/pygrub/setup.py +++ b/tools/pygrub/setup.py @@ -23,7 +23,6 @@ setup(name='pygrub', author_email='katzj@xxxxxxxxxx', license='GPL', package_dir={'grub': 'src', 'fsimage': 'src'}, - scripts = ["src/pygrub"], packages=pkgs, ext_modules = [ xenfsimage ] ) -- 2.30.2

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.