Download packages into more secure place than /tmp

This commit is contained in:
Disassembler 2019-03-01 14:59:30 +01:00
parent d5cec3491b
commit 8889900650
No known key found for this signature in database
GPG Key ID: 524BD33A0EE29499
3 changed files with 8 additions and 5 deletions

View File

@ -9,7 +9,10 @@ ACME_CRON = '/etc/periodic/daily/acme-sh'
ACME_DIR = '/etc/acme.sh.d'
CERT_KEY_FILE = '/etc/ssl/services.key'
CERT_PUB_FILE = '/etc/ssl/services.pem'
# Package manager
PKG_SIG_FILE = '/etc/vmmgr/packages.pub'
PKG_TEMP_DIR = '/var/cache/vmmgr'
# LXC
HOSTS_FILE = '/etc/hosts'
@ -19,7 +22,6 @@ LXC_ROOT = '/var/lib/lxc'
# OS
ISSUE_FILE = '/etc/issue'
NGINX_DIR = '/etc/nginx/conf.d'
REPO_FILE = '/etc/apk/repositories'
# URLs
MYIP_URL = 'https://tools.dasm.cz/myip.php'

View File

@ -10,7 +10,7 @@ from enum import Enum
from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
from . import crypto
from .paths import LXC_ROOT
from .paths import LXC_ROOT, PKG_TEMP_DIR
class Stage(Enum):
DOWNLOAD = 1
@ -85,7 +85,8 @@ class PkgMgr:
def download_package(self, name, item):
# Download tar.xz package and verify its hash. Can raise InvalidSignature
pkg_archive = '{}_{}-{}.tar.xz'.format(name, self.online_packages[name]['version'], self.online_packages[name]['release'])
tmp_archive = os.path.join('/tmp', pkg_archive)
tmp_archive = os.path.join(PKG_TEMP_DIR, pkg_archive)
os.makedirs(PKG_TEMP_DIR, 0o700, True)
# If the archive already exists in temp (presumably because the previous installation was interrupted), it was already verified and can be reused
if os.path.exists(tmp_archive):
item.bytes_downloaded += os.path.getsize(tmp_archive)
@ -105,7 +106,7 @@ class PkgMgr:
def unpack_package(self, name):
# Unpack archive
pkg_archive = '{}_{}-{}.tar.xz'.format(name, self.online_packages[name]['version'], self.online_packages[name]['release'])
tmp_archive = os.path.join('/tmp', pkg_archive)
tmp_archive = os.path.join(PKG_TEMP_DIR, pkg_archive)
subprocess.run(['tar', 'xJf', tmp_archive], cwd='/', check=True)
os.unlink(tmp_archive)

View File

@ -10,7 +10,7 @@ import urllib
from . import crypto
from . import templates
from . import net
from .paths import ACME_CRON, ACME_DIR, ISSUE_FILE, NGINX_DIR, RELOAD_URL, REPO_FILE
from .paths import ACME_CRON, ACME_DIR, ISSUE_FILE, NGINX_DIR, RELOAD_URL
class VMMgr:
def __init__(self, conf):