[reprotest] 01/01: chown -h for security

[Ximin Luo]

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository reprotest.

commit 4f560f58aae449e926a1e17062e03a136bacb143
Author: Ximin Luo <infinity0 at debian.org>
Date:   Thu Aug 31 15:54:29 2017 +0200

    chown -h for security
---
 README.rst            | 8 ++++----
 reprotest/__init__.py | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/README.rst b/README.rst
index f6e6d3e..eef69a4 100644
--- a/README.rst
+++ b/README.rst
@@ -205,10 +205,10 @@ your use-case::
     $ a="[a-zA-Z0-9]"
     $ cat <<EOF | sudo tee -a /etc/sudoers.d/local-reprotest
     $USER ALL = ($OTHERUSER) NOPASSWD: ALL
-    $USER ALL = NOPASSWD: /bin/chown -R --from=$OTHERUSER $USER /tmp/autopkgtest.$a$a$a$a$a$a/const_build_path/
-    $USER ALL = NOPASSWD: /bin/chown -R --from=$OTHERUSER $USER /tmp/autopkgtest.$a$a$a$a$a$a/experiment/
-    $USER ALL = NOPASSWD: /bin/chown -R --from=$USER $OTHERUSER /tmp/autopkgtest.$a$a$a$a$a$a/const_build_path/
-    $USER ALL = NOPASSWD: /bin/chown -R --from=$USER $OTHERUSER /tmp/autopkgtest.$a$a$a$a$a$a/experiment/
+    $USER ALL = NOPASSWD: /bin/chown -h -R --from=$OTHERUSER $USER /tmp/autopkgtest.$a$a$a$a$a$a/const_build_path/
+    $USER ALL = NOPASSWD: /bin/chown -h -R --from=$OTHERUSER $USER /tmp/autopkgtest.$a$a$a$a$a$a/experiment/
+    $USER ALL = NOPASSWD: /bin/chown -h -R --from=$USER $OTHERUSER /tmp/autopkgtest.$a$a$a$a$a$a/const_build_path/
+    $USER ALL = NOPASSWD: /bin/chown -h -R --from=$USER $OTHERUSER /tmp/autopkgtest.$a$a$a$a$a$a/experiment/
     EOF
 
 Repeat this for each user you'd like to use. Obviously, don't pick a privileged
diff --git a/reprotest/__init__.py b/reprotest/__init__.py
index aac5b79..492d0c4 100644
--- a/reprotest/__init__.py
+++ b/reprotest/__init__.py
@@ -380,9 +380,9 @@ printf '#!/bin/sh\nsudo -u "{1}" -g "{2}" /bin/fusermount "$@"\n' > "{0}"/fuserm
 chmod +x "{0}"/fusermount
 '''.format(binpath, user, group))
     _ = _.append_setup_exec_raw('export', 'PATH="%s:$PATH"' % binpath)
-    _ = _.append_setup_exec('sudo', 'chown', '-R', '--from=%s' % olduser, user, tree.experiment)
+    _ = _.append_setup_exec('sudo', 'chown', '-h', '-R', '--from=%s' % olduser, user, tree.experiment)
     # TODO: artifacts probably shouldn't be chown'd back
-    _ = _.prepend_cleanup_exec('sudo', 'chown', '-R', '--from=%s' % user, olduser, tree.experiment)
+    _ = _.prepend_cleanup_exec('sudo', 'chown', '-h', '-R', '--from=%s' % user, olduser, tree.experiment)
     new_experiment = _
     return Pair(script.control, new_experiment), env, tree
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/reprotest.git