[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 5/7] tools: Use -s for python shebangs

On Thu, Mar 16, 2023 at 07:37:44PM +0000, Andrew Cooper wrote:
> This is mandated by the Fedora packaging guidelines because it is a security
> vulnerability otherwise in suid scripts.  While Xen doesn't have suid scripts,
> it's a very good idea generally, because it prevents the users local python
> environment interfering from system packaged scripts.
> 
> pygrub is the odd-script-out, being installed by distutils rather than
> manually with INSTALL_PYTHON_PROG.  distutils has no nice way of editing the
> shebang, so arrange to use INSTALL_PYTHON_PROG on pygrub too.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Wei Liu <wl@xxxxxxx>
> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
> CC: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>
> 
> v2:
>  * Remove accidental setuputils dependency.

... and tools/python/setup.py doesn't install any scripts, so it isn't
relevant there.

Acked-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

> ---
>  tools/Rules.mk        | 2 +-
>  tools/pygrub/Makefile | 4 +++-
>  tools/pygrub/setup.py | 1 -
>  3 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/Rules.mk b/tools/Rules.mk
> index 6e135387bd7e..18cf83f5be83 100644
> --- a/tools/Rules.mk
> +++ b/tools/Rules.mk
> @@ -179,7 +179,7 @@ CFLAGS += $(CFLAGS-y)
>  CFLAGS += $(EXTRA_CFLAGS_XEN_TOOLS)
>  
>  INSTALL_PYTHON_PROG = \
> -     $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH)" $(INSTALL_PROG)
> +     $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH) -s" 
> $(INSTALL_PROG)
>  
>  %.opic: %.c
>       $(CC) $(CPPFLAGS) -DPIC $(CFLAGS) $(CFLAGS_$*.opic) -fPIC -c -o $@ $< 
> $(APPEND_CFLAGS)
> diff --git a/tools/pygrub/Makefile b/tools/pygrub/Makefile
> index 29ad0513212f..4963bc89c6ed 100644
> --- a/tools/pygrub/Makefile
> +++ b/tools/pygrub/Makefile
> @@ -18,8 +18,10 @@ build:
>  .PHONY: install
>  install: all
>       $(INSTALL_DIR) $(DESTDIR)/$(bindir)
> +     $(INSTALL_DIR) $(DESTDIR)/$(LIBEXEC_BIN)
>       $(setup.py) install --record $(INSTALL_LOG) $(PYTHON_PREFIX_ARG) \
> -             --root="$(DESTDIR)" --install-scripts=$(LIBEXEC_BIN) --force
> +             --root="$(DESTDIR)" --force
> +     $(INSTALL_PYTHON_PROG) src/pygrub $(DESTDIR)/$(LIBEXEC_BIN)/pygrub
>       set -e; if [ $(bindir) != $(LIBEXEC_BIN) -a \
>                    "`readlink -f $(DESTDIR)/$(bindir)`" != \
>                    "`readlink -f $(LIBEXEC_BIN)`" ]; then \
> diff --git a/tools/pygrub/setup.py b/tools/pygrub/setup.py
> index 0e4e3d02d372..502aa4df2dae 100644
> --- a/tools/pygrub/setup.py
> +++ b/tools/pygrub/setup.py
> @@ -23,7 +23,6 @@ setup(name='pygrub',
>        author_email='katzj@xxxxxxxxxx',
>        license='GPL',
>        package_dir={'grub': 'src', 'fsimage': 'src'},
> -      scripts = ["src/pygrub"],
>        packages=pkgs,
>        ext_modules = [ xenfsimage ]
>        )
> -- 
> 2.30.2
> 

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.