[zypp-devel] zypp-refresh-wrapper (new)
Hi, so far, zypp-checkpatches-wrapper has been used in the updater applets to refresh repos (needs root access) and check for patches. This solution was not too flexible though and as there came a need to check also for package updates, Thomas added the xml-updates command to zypper directly. But that solution lacked the ability to do the suid refresh. So with Thomas we agreed that we'll try a different approach: drop zypp-checkpatches-wrapper, use a new refresh-only suid wrapper and once called, use zypper query commands directly as normal non-root to do whathever queries you like (zypper --xmlout list-updates in the case of the updater applets). The zypp-refresh and zypp-refresh-wrapper is fairly general thing then, so my question is whether we should package it in zypper package or directly in the libzypp package. I'd also appreciate opinions on this solution. @Security: zypp-refresh-wrapper will be much simpler than the previous zypp-checkpatches-wrapper, so this should be an increase in security, too. Cheers, jano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Dňa Tuesday 22 April 2008 13:36:16 Jan Kupec ste napísal:
Hi,
so far, zypp-checkpatches-wrapper has been used in the updater applets to refresh repos (needs root access) and check for patches. This solution was not too flexible though and as there came a need to check also for package updates, Thomas added the xml-updates command to zypper directly. But that solution lacked the ability to do the suid refresh.
So with Thomas we agreed that we'll try a different approach: drop zypp-checkpatches-wrapper, use a new refresh-only suid wrapper and once called, use zypper query commands directly as normal non-root to do whathever queries you like (zypper --xmlout list-updates in the case of the updater applets).
The zypp-refresh and zypp-refresh-wrapper is fairly general thing then, so my question is whether we should package it in zypper package or directly in the libzypp package.
I'd also appreciate opinions on this solution.
@Security: zypp-refresh-wrapper will be much simpler than the previous zypp-checkpatches-wrapper, so this should be an increase in security, too.
Just keep in mind that there are other scripts using the wrapper, e.g. the updates notification script from Christian. Stano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Stanislav Visnovsky wrote:
Dňa Tuesday 22 April 2008 13:36:16 Jan Kupec ste napísal:
Hi,
so far, zypp-checkpatches-wrapper has been used in the updater applets to refresh repos (needs root access) and check for patches. This solution was not too flexible though and as there came a need to check also for package updates, Thomas added the xml-updates command to zypper directly. But that solution lacked the ability to do the suid refresh.
So with Thomas we agreed that we'll try a different approach: drop zypp-checkpatches-wrapper, use a new refresh-only suid wrapper and once called, use zypper query commands directly as normal non-root to do whathever queries you like (zypper --xmlout list-updates in the case of the updater applets).
The zypp-refresh and zypp-refresh-wrapper is fairly general thing then, so my question is whether we should package it in zypper package or directly in the libzypp package.
I'd also appreciate opinions on this solution.
@Security: zypp-refresh-wrapper will be much simpler than the previous zypp-checkpatches-wrapper, so this should be an increase in security, too.
Just keep in mind that there are other scripts using the wrapper, e.g. the updates notification script from Christian.
The migration would be quite easy. We could keep the old wrapper, but if we would be dropping it, were to announce it (with a brief howto-migrate?). j. -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
The wrapper is ready in svn [1,2]. It will return: 0 on success, 1 in case of general failure, 2 in case some of the repos were said to be refreshed but some failed, 101 in case of the wrapper failure (no suid bit, exec failed, etc..). I added a "Deprecated" warning to the old zypp-checkpatches-wrapper saying that it will be dropped before 11.1 release. One minor one big (security) issue to solve: Minor) The former wrapper and the check-patches utility produced XML output as it needed to feed complex data for machine consumption. But the refresh utility only prints error messages on error and apart from that only some progress messages. Do we still want it in XML? Or should i make the XML output optional? Security) libzypp now uses repo2solv.sh shell script from satsolver-tools to build the .solv files when refreshing the repository. It has been suggested that this could be a security issue. And if it is, why not use the rpmdb2solv, rpmmd2solv, susetags2solv, etc binaries directly depending on the type of repo (which we probably already know in libzypp)? [1] http://svn.opensuse.org/svn/zypp/trunk/zypper/src/zypp-refresh.cc [2] http://svn.opensuse.org/svn/zypp/trunk/zypper/src/zypp-refresh-wrapper.c -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Hi, On Wed, 23 Apr 2008, Jan Kupec wrote:
Security)
libzypp now uses repo2solv.sh shell script from satsolver-tools to build the .solv files when refreshing the repository. It has been suggested that this could be a security issue. And if it is, why not use the rpmdb2solv, rpmmd2solv, susetags2solv, etc binaries directly depending on the type of repo (which we probably already know in libzypp)?
If anything, then not the shell script, but the converters itself are a security concern. It would probably be best if the converters (and shellscript) are run as "nobody", generating temporary files in some subdir (writable to "nobody"), and doing only the file moving part as root. Ciao, Michael. -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
One minor one big (security) issue to solve:
Minor)
The former wrapper and the check-patches utility produced XML output as it needed to feed complex data for machine consumption. But the refresh utility only prints error messages on error and apart from that only some progress messages.
Do we still want it in XML? Or should i make the XML output optional? From the opensuseupdater's point of view xml output is not needed. Maybe
On Wed, 2008-04-23 at 15:36 +0200, Jan Kupec wrote: there are other programs that want to use zypp-refresh-wrapper with xml output. Optional xml output might a nice solution but I don't know whether someone would use it. -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
participants (4)
-
Jan Kupec
-
Michael Matz
-
Stanislav Visnovsky
-
Thomas Goettlicher