From 8889900650991ea75dbe5e194fe2a683fe398b4b Mon Sep 17 00:00:00 2001
From: Disassembler <disassembler@dasm.cz>
Date: Fri, 1 Mar 2019 14:59:30 +0100
Subject: [PATCH] Download packages into more secure place than /tmp

---
 usr/lib/python3.6/vmmgr/paths.py  | 4 +++-
 usr/lib/python3.6/vmmgr/pkgmgr.py | 7 ++++---
 usr/lib/python3.6/vmmgr/vmmgr.py  | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/usr/lib/python3.6/vmmgr/paths.py b/usr/lib/python3.6/vmmgr/paths.py
index cb2aa56..3828266 100644
--- a/usr/lib/python3.6/vmmgr/paths.py
+++ b/usr/lib/python3.6/vmmgr/paths.py
@@ -9,7 +9,10 @@ ACME_CRON = '/etc/periodic/daily/acme-sh'
 ACME_DIR = '/etc/acme.sh.d'
 CERT_KEY_FILE = '/etc/ssl/services.key'
 CERT_PUB_FILE = '/etc/ssl/services.pem'
+
+# Package manager
 PKG_SIG_FILE = '/etc/vmmgr/packages.pub'
+PKG_TEMP_DIR = '/var/cache/vmmgr'
 
 # LXC
 HOSTS_FILE = '/etc/hosts'
@@ -19,7 +22,6 @@ LXC_ROOT = '/var/lib/lxc'
 # OS
 ISSUE_FILE = '/etc/issue'
 NGINX_DIR = '/etc/nginx/conf.d'
-REPO_FILE = '/etc/apk/repositories'
 
 # URLs
 MYIP_URL = 'https://tools.dasm.cz/myip.php'
diff --git a/usr/lib/python3.6/vmmgr/pkgmgr.py b/usr/lib/python3.6/vmmgr/pkgmgr.py
index b0fd1ad..67e4cde 100644
--- a/usr/lib/python3.6/vmmgr/pkgmgr.py
+++ b/usr/lib/python3.6/vmmgr/pkgmgr.py
@@ -10,7 +10,7 @@ from enum import Enum
 from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
 
 from . import crypto
-from .paths import LXC_ROOT
+from .paths import LXC_ROOT, PKG_TEMP_DIR
 
 class Stage(Enum):
     DOWNLOAD = 1
@@ -85,7 +85,8 @@ class PkgMgr:
     def download_package(self, name, item):
         # Download tar.xz package and verify its hash. Can raise InvalidSignature
         pkg_archive = '{}_{}-{}.tar.xz'.format(name, self.online_packages[name]['version'], self.online_packages[name]['release'])
-        tmp_archive = os.path.join('/tmp', pkg_archive)
+        tmp_archive = os.path.join(PKG_TEMP_DIR, pkg_archive)
+        os.makedirs(PKG_TEMP_DIR, 0o700, True)
         # If the archive already exists in temp (presumably because the previous installation was interrupted), it was already verified and can be reused
         if os.path.exists(tmp_archive):
             item.bytes_downloaded += os.path.getsize(tmp_archive)
@@ -105,7 +106,7 @@ class PkgMgr:
     def unpack_package(self, name):
         # Unpack archive
         pkg_archive = '{}_{}-{}.tar.xz'.format(name, self.online_packages[name]['version'], self.online_packages[name]['release'])
-        tmp_archive = os.path.join('/tmp', pkg_archive)
+        tmp_archive = os.path.join(PKG_TEMP_DIR, pkg_archive)
         subprocess.run(['tar', 'xJf', tmp_archive], cwd='/', check=True)
         os.unlink(tmp_archive)
 
diff --git a/usr/lib/python3.6/vmmgr/vmmgr.py b/usr/lib/python3.6/vmmgr/vmmgr.py
index 6de93d3..809ce14 100644
--- a/usr/lib/python3.6/vmmgr/vmmgr.py
+++ b/usr/lib/python3.6/vmmgr/vmmgr.py
@@ -10,7 +10,7 @@ import urllib
 from . import crypto
 from . import templates
 from . import net
-from .paths import ACME_CRON, ACME_DIR, ISSUE_FILE, NGINX_DIR, RELOAD_URL, REPO_FILE
+from .paths import ACME_CRON, ACME_DIR, ISSUE_FILE, NGINX_DIR, RELOAD_URL
 
 class VMMgr:
     def __init__(self, conf):