[Rpm-maint] Script hooks patch

Reshetova, Elena elena.reshetova at intel.com
Mon Nov 26 10:52:06 UTC 2012

Hi Panu,

I am working on the next version of script patch and will send it hopefully 
One thing that I noticed currently: I think header.c file missing errno.h 
inclusion. It doesn't compile for me without it.
Or am I doing smth wrong?

Best Regards,

-----Original Message-----
From: Panu Matilainen [mailto:pmatilai at laiskiainen.org]
Sent: Saturday, November 24, 2012 12:57 PM
To: Reshetova, Elena
Cc: rpm-maint at lists.rpm.org
Subject: Re: Script hooks patch

On 11/23/2012 02:29 PM, Reshetova, Elena wrote:
>> I see a couple of further problems with this:
>> - runLuaScript() will leak memory and a file descriptor if
>> rpmpluginsCallScriptPre() fails.
> Sorry, will fix.
>> - For external scripts the hooks run on different sides of the fork():
>> pre-hook runs in the forked child, post-hook in the parent, so parent
>> will
> be unaware of anything occurring in the pre-hook.
> Yes, but we can't run it in the parent, because how then we setup the
> security context on forked process?
>> I'd prefer the hooks called from rpmScriptRun() already so there
>> would be
> exactly one place where to deal with them, but whether that would
> actually work is a different question entirely...
> Would look nice from code point of view for sure, but I can't figure
> out a way to do it currently...

It's sooo annoying when practicalities clash with simple and beautiful code... 

>> External scripts have a lengthy setup sequence in the child between
>> the
>> fork() and exec(), including a call to rpmExpand() on
> %_install_script_path. Which should not, but technically could, have a
> shell-invocation in it, which would cause a fork() + exec() of its own
> which would cause (at least in case of SELinux) the exec context setup
> to go to wrong address. It should be possible >to move the rpmExpand()
> into parent and just pass the path as an argument to doScriptExec()
> though but just goes to show how the kind of minefield this is.
> Oh, shell invocation isn't good at all in this case: it will be
> invoked with all rpm privileges :( Is it an intended feature or smth
> that we can try to limit? I have been thinking of this just as a way
> to load configuration, but it seems to be a worse case.

Technically any rpmExpand() and rpmExpandNumeric() call can result in shell 
invocation (and any arbitrary command through that). For example the 
%_install_script_path is by default defined as:

%_install_script_path   /sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin

It'd be perfectly legal (if dumb) to write this as:

%_install_script_path   %(echo /sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin)

...and of course you can inject all sorts of "surprises" in there too, like
%_install_script_path   %(rm -rf /home; echo

Besides shell, any macro can also be written in Lua, which can also invoke 
arbitrary commands, define further macros etc. Oh and "regular"
macros can also define (and override) and undefine other macros.

So yes, its quite nasty, and somehow limiting the power that macros can have 
would be good. I've been thinking of some kind of no-exec, read-only mode to 
the macro engine for quite some time now, but there are many open questions in 
that area. Such as what to do about the "violators" - neither rpmExpand() or 
rpmExpandNumeric() can return errors, and even if they could, its a 
non-trivial job to figure out how to handle them in all the relevant places.

>> Internal scripts present different problems: as it is now, there's
>> not much
> difference between calling hooks from runLuaScript() and
> rpmScriptRun(), but if we assume they'll get forked in the future, any
> security context switch would have to happen after the fork. Which
> inevitably causes the same
>> asymmetry with pre- and post-hooks as there is now with external scripts.
> True, but how much does the parent needs to know about it?
>> One way to address it would be having an "unpaired" post-fork (or
>> pre-exec
> if you like) hook that explicitly runs in the child process, which
> basically is what we have now in the script setup hook. Which then begs the 
> question:
> what exactly are the new script pre- and post-hooks supposed to be used for?
>> Ok, I can imagine eg logging plugin wanting to do something in both
>> of
> those, but...
> Yes, I am starting to lean towards 3 set of hooks for scripts:
> symmetrical pre-post in parent (nicely combined in rpmScriptRun) and
> separate Setup hook in child. The purpose of child hook would be to
> setup security context, the

Security context or some other execution environment things, like environment 
variables present in the scripts (I can't think of practical use-cases for 
that atm but that doesn't mean they dont exist :)

> pre-hook can be used for initial screening (IMO important part too),
> like if we even want this particular  script from this particular
> package to run (I

Ah yup, that's a reasonable use-case in the security-department.

> can even think of passing script content to it, if we want to scan it
> for malware patterns, but this is probably too futuristic), and post
> hook can be used... hm... (trying to think of security reason)  maybe
> just simply for verifying how did it go and cleaning up (can't find
> really any specific reason now)

Well, not everything has to be related to security anyhow :) For example a 
logging plugin will certainly be interested in the post-script result.

> What do you think? Should I then change the patch to add two hooks in
> addition to current one and move them to rpmScriptRun() for clean view?

At least for now that seems like the way to go. The "setup" hook should 
perhaps be renamed to something that makes it clearer when and how its called, 
such as "scriptlet post fork", which gets called only when a scriptlet 
execution is forked (eg Lua scripts are not forked so the post-fork setup hook 
shouldn't be called for them I suppose)

Going to be interesting to see how many variations on the theme this all takes 
to get the details right :D

	- Panu -

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7220 bytes
Desc: not available
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20121126/74ca47c2/attachment.p7s>

More information about the Rpm-maint mailing list