use granular permissions for tdnf commands

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
isabella232 · Mar 11, 2022 · 35c5a28 · 35c5a28
1 parent 9257384
commit 35c5a28
Show file tree

Hide file tree

Showing 23 changed files with 387 additions and 197 deletions.
diff --git a/ci/Dockerfile.fedora b/ci/Dockerfile.fedora
@@ -5,7 +5,8 @@ RUN dnf -y install gcc make cmake libcurl-devel rpm-devel rpm-build \
         libsolv-devel popt-devel sed createrepo_c glib2-devel libxml2 \
         findutils python3-pytest python3-requests python3-urllib3 \
         python3-pyOpenSSL python3 python3-devel valgrind gpgme-devel \
-        libxml2-devel openssl-devel rpm-sign which python3-pip
+        libxml2-devel openssl-devel rpm-sign which python3-pip \
+        shadow-utils sudo
 
 RUN pip3 install flake8
 

diff --git a/ci/Dockerfile.photon b/ci/Dockerfile.photon
@@ -8,9 +8,10 @@ RUN tdnf install -y --enablerepo=photon-debuginfo \
                findutils python3 python3-pip python3-setuptools \
                python3-devel valgrind gpgme-devel glibc-debuginfo \
                libxml2-devel openssl-devel zlib-devel which \
-               python3-requests python3-urllib3 python3-pyOpenSSL
+               python3-requests python3-urllib3 python3-pyOpenSSL \
+               sudo shadow
 
 # this can to be removed once latest pytest gets published in photon
-RUN pip3 install -q pytest flake8
+RUN pip3 install pytest flake8
 
 CMD ["/bin/bash"]
diff --git a/ci/Dockerfile.photon-3.0 b/ci/Dockerfile.photon-3.0
@@ -1,7 +1,5 @@
 FROM photon:3.0
 
-MAINTAINER okurth@vmware.com
-
 RUN tdnf update  -y
 RUN tdnf remove  -y toybox
 RUN tdnf install -y --enablerepo=photon-debuginfo \
@@ -10,9 +8,10 @@ RUN tdnf install -y --enablerepo=photon-debuginfo \
                findutils python3 python3-setuptools python3-devel \
                valgrind gpgme-devel glibc-debuginfo libxml2-devel \
                openssl-devel zlib-devel which python3-requests \
-               python3-urllib3 python3-pyOpenSSL python3-pip
+               python3-urllib3 python3-pyOpenSSL python3-pip \
+               sudo shadow
 
 # TODO: we need to fix pytest in Ph3, after that this can be removed
-RUN pip3 install -q pytest flake8
+RUN pip3 install pytest flake8
 
 CMD ["/bin/bash"]
diff --git a/client/api.c b/client/api.c
@@ -20,6 +20,8 @@
 
 #include "includes.h"
 
+uid_t gEuid;
+
 static TDNF_ENV gEnv = {0};
 
 static tdnflock instance_lock;
@@ -34,6 +36,11 @@ static void TdnfExitHandler(void)
 
 static void IsTdnfAlreadyRunning(void)
 {
+    if (gEuid)
+    {
+        return;
+    }
+
     instance_lock = tdnflockNewAcquire(TDNF_INSTANCE_LOCK_FILE,
                                        "tdnf_instance");
     if (!instance_lock)
@@ -653,6 +660,8 @@ TDNFOpenHandle(
         BAIL_ON_TDNF_ERROR(dwError);
     }
 
+    gEuid = geteuid();
+
     IsTdnfAlreadyRunning();
 
     GlobalSetQuiet(pArgs->nQuiet);

diff --git a/client/defines.h b/client/defines.h
@@ -28,9 +28,6 @@
  */
 #define TDNF_INSTANCE_LOCK_FILE     "/var/run/.tdnf-instance-lockfile"
 
-/* wait for lock retries, interval is 1s */
-#define TDNF_LOCK_MAX_RETRIES 300
-
 typedef enum
 {
     /* this should be a bitmask */

diff --git a/client/init.c b/client/init.c
@@ -237,10 +237,10 @@ TDNFRefreshSack(
     int nMetadataExpired = 0;
     PTDNF_REPO_DATA_INTERNAL pRepo = NULL;
     PTDNF_REPO_DATA_INTERNAL *ppRepoArray = NULL;
-    int i = 0;
-    int nCount = 0;
+    uint32_t nCount = 0;
+    uint32_t i = 0;
 
-    if(!pTdnf)
+    if (!pTdnf)
     {
         dwError = ERROR_TDNF_INVALID_PARAMETER;
         BAIL_ON_TDNF_ERROR(dwError);
@@ -251,12 +251,13 @@ TDNFRefreshSack(
         pTdnf->pArgs->nRefresh = 1;
     }
 
-    for(pRepo = pTdnf->pRepos; pRepo; pRepo = pRepo->pNext)
+    for (pRepo = pTdnf->pRepos; pRepo; pRepo = pRepo->pNext)
     {
-        /* skip the @cmdline repo - options do not apply, and it is
-           initialized. */
-        if ((strcmp(pRepo->pszName, CMDLINE_REPO_NAME) == 0) ||
-            (!pRepo->nEnabled))
+        /*
+         * skip the @cmdline repo - options do not apply, and it is
+         * initialized.
+         */
+        if (!strcmp(pRepo->pszName, CMDLINE_REPO_NAME) || !pRepo->nEnabled)
         {
             continue;
         }
@@ -272,8 +273,7 @@ TDNFRefreshSack(
 
         for(pRepo = pTdnf->pRepos; pRepo; pRepo = pRepo->pNext)
         {
-            if ((strcmp(pRepo->pszName, CMDLINE_REPO_NAME) == 0) ||
-                (!pRepo->nEnabled))
+            if (!strcmp(pRepo->pszName, CMDLINE_REPO_NAME) || !pRepo->nEnabled)
             {
                 continue;
             }
@@ -309,32 +309,44 @@ TDNFRefreshSack(
             pszRepoCacheDir = NULL;
         }
 
-        if(nMetadataExpired)
+        if (nMetadataExpired)
         {
+            if (gEuid)
+            {
+                if (!pTdnf->pArgs->nCacheOnly)
+                {
+                    pr_err("\ntdnf repo cache needs to be refreshed\n"
+                           "You can use one of the below methods to workaround this\n"
+                           "1. Login as root & refresh cache\n"
+                           "2. Use -c (--config) option & create repo cache where you have access\n"
+                           "3. Use -C (--cacheonly) & use existing cache in the system\n\n");
+                }
+                goto cleanup;
+            }
+
             dwError = TDNFRepoRemoveCache(pTdnf, pRepo->pszId);
-            if(dwError == ERROR_TDNF_FILE_NOT_FOUND)
+            if (dwError == ERROR_TDNF_FILE_NOT_FOUND)
             {
                 dwError = 0;//Ignore non existent folders
             }
             BAIL_ON_TDNF_ERROR(dwError);
 
             dwError = TDNFRemoveSolvCache(pTdnf, pRepo->pszId);
-            if(dwError == ERROR_TDNF_FILE_NOT_FOUND)
+            if (dwError == ERROR_TDNF_FILE_NOT_FOUND)
             {
                 dwError = 0;//Ignore non existent folders
             }
             BAIL_ON_TDNF_ERROR(dwError);
         }
 
-        if(pSack)
+        if (pSack)
         {
             dwError = TDNFInitRepo(pTdnf, pRepo, pSack);
         }
-        if(dwError && pRepo->nSkipIfUnavailable)
+        if (dwError && pRepo->nSkipIfUnavailable)
         {
             pRepo->nEnabled = 0;
-            pr_info("Disabling Repo: '%s'\n",
-                    pRepo->pszName);
+            pr_info("Disabling Repo: '%s'\n", pRepo->pszName);
             dwError = 0;
         }
         BAIL_ON_TDNF_ERROR(dwError);
@@ -357,5 +369,6 @@ TDNFRefresh(
     {
         return ERROR_TDNF_INVALID_PARAMETER;
     }
+
     return TDNFRefreshSack(pTdnf, pTdnf->pSack, pTdnf->pArgs->nRefresh);
 }
diff --git a/client/list.c b/client/list.c
@@ -26,6 +26,7 @@ TDNFMergeList(
     TDNF_ML_LIST* listB
     )
 {
+    uint32_t dwError = 0;
     TDNF_ML_LIST* mergedList = NULL;
     TDNF_ML_URL_INFO *urlA = NULL;
     TDNF_ML_URL_INFO *urlB = NULL;
@@ -68,6 +69,9 @@ TDNFMergeList(
     }
 
     return mergedList;
+
+error:
+    return NULL;
 }
 
 /* This function is used to split the nodes of the given

diff --git a/client/metalink.c b/client/metalink.c
@@ -61,10 +61,8 @@ TDNFMetalinkFree(
         return;
 
     TDNF_SAFE_FREE_MEMORY(ml_ctx->filename);
-    TDNFDeleteList(&ml_ctx->hashes,
-                      (TDNF_ML_FREE_FUNC)TDNFMetalinkHashFree);
-    TDNFDeleteList(&ml_ctx->urls,
-                      (TDNF_ML_FREE_FUNC)TDNFMetalinkUrlFree);
+    TDNFDeleteList(&ml_ctx->hashes, (TDNF_ML_FREE_FUNC)TDNFMetalinkHashFree);
+    TDNFDeleteList(&ml_ctx->urls, (TDNF_ML_FREE_FUNC)TDNFMetalinkUrlFree);
     TDNF_SAFE_FREE_MEMORY(ml_ctx);
 }
 

diff --git a/client/prototypes.h b/client/prototypes.h
@@ -21,10 +21,13 @@
 #ifndef __CLIENT_PROTOTYPES_H__
 #define __CLIENT_PROTOTYPES_H__
 
+#include <unistd.h>
 #include <openssl/sha.h>
 #include <openssl/md5.h>
 #include <openssl/evp.h>
 
+extern uid_t gEuid;
+
 //clean.c
 uint32_t
 TDNFCopyEnabledRepos(

diff --git a/client/remoterepo.c b/client/remoterepo.c
@@ -221,7 +221,7 @@ TDNFGetDigestForFile(
     }
 
     fd = open(filename, O_RDONLY);
-    if (fd == -1)
+    if (fd < 0)
     {
         pr_err("Metalink: validating (%s) FAILED\n", filename);
         dwError = errno;
@@ -292,7 +292,7 @@ TDNFGetDigestForFile(
     dwError = 0;
 
 cleanup:
-    if (fd != -1)
+    if (fd >= 0)
     {
         close(fd);
     }
@@ -531,7 +531,7 @@ TDNFParseAndGetURLFromMetalink(
     }
 
     fd = open(pszFile, O_RDONLY);
-    if (fd == -1)
+    if (fd < 0)
     {
         dwError = errno;
         BAIL_ON_TDNF_SYSTEM_ERROR_UNCOND(dwError);
@@ -548,7 +548,7 @@ TDNFParseAndGetURLFromMetalink(
     TDNFSortListOnPreference(&ml_ctx->urls);
 
 cleanup:
-    if (fd != -1)
+    if (fd >= 0)
     {
         close(fd);
     }
@@ -692,7 +692,10 @@ TDNFDownloadFile(
     {
         dwError = rename(pszFileTmp, pszFile);
         BAIL_ON_TDNF_ERROR(dwError);
+        dwError = chmod(pszFile, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+        BAIL_ON_TDNF_ERROR(dwError);
     }
+
 cleanup:
     TDNF_SAFE_FREE_MEMORY(pszUserPass);
     TDNF_SAFE_FREE_MEMORY(pszFileTmp);

diff --git a/client/repo.c b/client/repo.c
@@ -38,7 +38,7 @@ TDNFInitRepo(
     int nUseMetaDataCache = 0;
     PSOLV_REPO_INFO_INTERNAL pSolvRepoInfo = NULL;
 
-    if(!pTdnf || !pTdnf->pConf || !pRepoData || !pSack || !pSack->pPool)
+    if (!pTdnf || !pTdnf->pConf || !pRepoData || !pSack || !pSack->pPool)
     {
         dwError = ERROR_TDNF_INVALID_PARAMETER;
         BAIL_ON_TDNF_ERROR(dwError);
@@ -779,7 +779,7 @@ TDNFGetRepoMD(
     }
 
     /* download repomd.xml to tmp */
-    if(nNeedDownload && !pTdnf->pArgs->nCacheOnly)
+    if (nNeedDownload && !pTdnf->pArgs->nCacheOnly)
     {
         pr_info("Refreshing metadata for: '%s'\n", pRepoData->pszName);
         /* always download to tmp */
@@ -823,7 +823,7 @@ TDNFGetRepoMD(
             dwError = TDNFAllocateMemory(1, sizeof(TDNF_ML_CTX),
                                          (void **)&ml_ctx);
             BAIL_ON_TDNF_ERROR(dwError);
-	    
+
             dwError = TDNFParseAndGetURLFromMetalink(pTdnf,
                         pRepoData->pszId, pszTmpRepoMetalinkFile, ml_ctx);
             BAIL_ON_TDNF_ERROR(dwError);
@@ -981,7 +981,8 @@ TDNFGetRepoMD(
         if((TDNFRemoveTmpRepodata(pszTmpRepoDataDir)) &&
            (dwError == ERROR_TDNF_CHECKSUM_VALIDATION_FAILED))
 	{
-	    pr_crit("Downloaded repomd shasum mismatch, failed to remove %s file.  please remove.", pszTmpRepoDataDir);
+	    pr_crit("Downloaded repomd shasum mismatch, failed to remove %s file. Please remove it manually\n.",
+                pszTmpRepoDataDir);
 	}
     }
     TDNFFreeRepoMetadata(pRepoMDRel);

diff --git a/client/repoutils.c b/client/repoutils.c
@@ -142,18 +142,15 @@ TDNFRepoGetUserPass(
         dwError = ERROR_TDNF_NO_REPOS;
         BAIL_ON_TDNF_ERROR(dwError);
     }
-    pRepos = pTdnf->pRepos;
 
-    while(pRepos)
+    for (pRepos = pTdnf->pRepos; pRepos; pRepos = pRepos->pNext)
     {
-        if(!strcmp(pszRepo, pRepos->pszId))
+        if (!strcmp(pszRepo, pRepos->pszId))
         {
             break;
         }
-        pRepos = pRepos->pNext;
     }
-
-    if(!pRepos)
+    if (!pRepos)
     {
         dwError = ERROR_TDNF_REPO_NOT_FOUND;
         BAIL_ON_TDNF_ERROR(dwError);