Browse Source

Check that DESTDIR is on a noperm filesystem that's properly locked

down and enforce reasonable permissions for RELEASEDIR.
prodded by and ok deraadt
ok tb
OPENBSD_6_1
natano 8 years ago
parent
commit
99f46803b9
1 changed files with 14 additions and 1 deletions
  1. +14
    -1
      src/etc/Makefile

+ 14
- 1
src/etc/Makefile View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.440 2016/10/06 20:20:41 reyk Exp $
# $OpenBSD: Makefile,v 1.441 2016/10/09 14:23:10 natano Exp $
TZDIR= /usr/share/zoneinfo TZDIR= /usr/share/zoneinfo
LOCALTIME= Canada/Mountain LOCALTIME= Canada/Mountain
@ -252,6 +252,19 @@ release:
echo $@ must be called by root >&2; \ echo $@ must be called by root >&2; \
false; \ false; \
fi fi
@destmp=`df -P ${DESTDIR} | awk 'END { print $$6 }'`; \
if ! mount | grep -q " $${destmp} .*noperm"; then \
echo ${DESTDIR} must be on a noperm filesystem >&2; \
false; \
fi; \
if [[ `stat -f '%Su %Lp' $${destmp}` != '${BUILDUSER} 700' ]]; then \
echo $${destmp} must have owner BUILDUSER and mode 700 >&2; \
false; \
fi
@if [[ `stat -f '%Su %Lp' ${RELEASEDIR}` != '${BUILDUSER} 700' ]]; then \
echo ${RELEASEDIR} must have owner BUILDUSER and mode 700 >&2; \
false; \
fi
${MAKE} release-sets ${MAKE} release-sets
${MAKE} distrib ${MAKE} distrib
su ${BUILDUSER} -c 'exec ${MAKE} sha' su ${BUILDUSER} -c 'exec ${MAKE} sha'


Loading…
Cancel
Save