fail GMT-6.4.0-alt1_10.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/gmt_shell_functions.sh: $ grep -A5 -B5 /tmp/ /usr/bin/gmt_shell_functions.sh cat <<- EOF > doc.kml EOF ls kml/*.kml > /tmp/$$.lis while read file; do name=$(basename $file .kml) cat << EOF >> doc.kml $name $file EOF done < /tmp/$$.lis cat << EOF >> doc.kml EOF zip -rq9 $name.kmz doc.kml kml if [ $remove -eq 0 ]; then mv -f kml/* .. fi rm -rf kml doc.kml /tmp/$$.lis } # For animations: Build animated gif from stills gmt_build_gif() { if [ $# -eq 0 ]; then -- usage: gmt_launch_jobs [-c ] [-l ] [-n] [-v] [-w] is a file with a list of all the commands -c Specify how many separate cores to use [$n_cpu] -l Specify how many lines constitute one job cluster [1] -n Dry-run. Do not launch jobs but leave core scripts as /tmp/gmt_launch_jobs.##.sh -r Remove core scripts when the jobs complete -v Verbose. Give progress messages -w Wait for completion of all core jobs before exiting EOF return -- *) echo "gmt_launch_jobs: No such option ($1)" >&2 ;; esac shift done egrep -v '^#|^$' $1 > /tmp/$$.sh nL=$(wc -l /tmp/$$.sh | awk '{printf "%d\n", $1}') n_chunks=$(gmt math -Q $nL $n_lines DIV =) bad=$(gmt math -Q $n_chunks DUP RINT SUB ABS 1e-10 GT =) if [ $bad -eq 1 ]; then echo "gmt_launch_jobs: Your number of commands is not a multiple of $n_lines" >&2 exit 1 -- tag="."$$ fi # Create n_cpu empty files for execution let cpu=0 while [ $cpu -lt $n_cpu ]; do printf "#!/usr/bin/env bash\n# gmt_launch_jobs command file chunk # ${cpu}\n#---------------------------------\n" > /tmp/gmt_launch_jobs${tag}.$cpu.sh let cpu=cpu+1 done # Distribute $n_lines from the commands across these core scripts let chunk=0; let cpu=0; let sub=n_lines-1; let last=0 while [ $chunk -lt $n_chunks ]; do let last=last+n_lines let first=last-sub sed -n ${first},${last}p /tmp/$$.sh >> /tmp/gmt_launch_jobs${tag}.$cpu.sh let cpu=cpu+1 if [ $cpu -eq $n_cpu ]; then let cpu=0 fi let chunk=chunk+1 done # Launch the $n_cpu scripts let cpu=0 while [ $cpu -lt $n_cpu ]; do if [ $blabber -eq 1 ]; then echo "gmt_launch_jobs: Starting /tmp/gmt_launch_jobs${tag}.$cpu.sh" >&2 fi if [ $do_remove -eq 1 ]; then echo "rm -f /tmp/gmt_launch_jobs${tag}.$cpu.sh" >> /tmp/gmt_launch_jobs${tag}.$cpu.sh fi if [ $dryrun -eq 0 ]; then bash /tmp/gmt_launch_jobs${tag}.$cpu.sh & fi let cpu=cpu+1 done rm -f /tmp/$$.sh if [ $do_wait -eq 1 ] && [ $dryrun -eq 0 ]; then wait # Wait until all jobs launched by this script have completed if [ $blabber -eq 1 ]; then echo "gmt_launch_jobs: All $n_cpu jobs completed" >&2 fi; fail GMT-common-6.4.0-alt1_10.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/gmt/tools/gmt_prepmex.sh: $ grep -A5 -B5 /tmp/ /usr/share/gmt/tools/gmt_prepmex.sh # First get a reliable absolute path to the bundle's top directory pushd $(dirname $0) > /dev/null BUNDLEDIR=$(pwd | sed -e sB/Contents/Resources/share/toolsBBg) popd > /dev/null # Set path to the new gmt installation MEXGMT5DIR=/tmp/$$/gmt # Set path to additional subdirectories MEXLIBDIR=$MEXGMT5DIR/lib MEXINCDIR=$MEXGMT5DIR/include MEXSHADIR=$MEXGMT5DIR/share MEXBINDIR=$MEXGMT5DIR/bin -- cp -r etc usr $MEXBINDIR # Now copy the lib files printf "gmt_prepmex.sh: Copy and rename libraries\n" >&2 cd $BUNDLEDIR/Contents/Resources/lib # Find a list of all libs shipped with the OSX bundle, except our own: ls *.dylib | egrep -v 'libgmt.dylib|libpostscriptlight.dylib' > /tmp/l.lis # For each, duplicate into /opt/gmt but add a leading X to each name while read lib; do new=$(echo $lib | awk '{printf "libX%s\n", substr($1,4)}') cp $lib $MEXLIBDIR/$new done < /tmp/l.lis # Copy the supplement shared plugin cp gmt/plugins/supplements.so $MEXLIBDIR/gmt/plugins cd $MEXLIBDIR ls *.dylib > /tmp/l.lis printf "gmt_prepmex.sh: Rebaptize libraries\n" >&2 # For all libs in $MEXLIBDIR, change internal references to contain the leading "X" while read lib; do otool -L $lib | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=$(echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}') if [ $k -eq 1 ]; then # Do the id change was=$(echo $lib | awk -F/ '{print substr($1,4)}') install_name_tool -id /opt/gmt/lib/$new $lib else install_name_tool -change $old /opt/gmt/lib/$new $lib fi let k=k+1 done < /tmp/t.lis done < /tmp/l.lis # Set links to the new libs ln -s libXgmt.dylib libgmt.dylib ln -s libXpostscriptlight.dylib libpostscriptlight.dylib ln -s libXgmt.6.dylib libXgmt.dylib ln -s libXpostscriptlight.6.dylib libXpostscriptlight.dylib -- fi fi # Do plugin supplement separately since not called lib* cd gmt/plugins otool -L supplements.so | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=$(echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}') install_name_tool -change $old /opt/gmt/lib/$new supplements.so let k=k+1 done < /tmp/t.lis # Do bin dir cd $MEXBINDIR otool -L gmt | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=$(echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}') install_name_tool -change $old /opt/gmt/lib/$new gmt let k=k+1 done < /tmp/t.lis chmod -R ugo+r $MEXGMT5DIR printf "gmt_prepmex.sh: Install /opt/gmt\n" >&2 sudo cp -fpR $MEXGMT5DIR /opt rm -rf /tmp/$$ cd $here version=$(/opt/gmt/bin/gmt-config --version) # Report cat << EOF >&2 gmt_prepmex.sh: Made updated GMT $version installation in /opt/gmt; fail NsCDE-2.3-alt2.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/NsCDE/migrate_nscde_1x_2x: $ grep -A5 -B5 /tmp/ /usr/lib/NsCDE/migrate_nscde_1x_2x exit 6 else stamp=$(date +%d-%m-%Y-%H-%M-%S) case $OS in Linux|NetBSD|DragonFly|FreeBSD) tar cpf dot_NsCDE_${stamp}.tar --exclude '.NsCDE/tmp/fvwm_mfl.sock' .NsCDE RETVAL1=$? ;; OpenBSD) tar -s '/.NsCDE\/tmp\/fvwm_mfl\.sock//' -cf dot_NsCDE_stamp.tar .NsCDE RETVAL1=$? -- { # Start with bin cat "$1" | $ISED -c 's/\$NSCDE_ROOT\/bin\/confget\.py/\$NSCDE_TOOLSDIR\/confget/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/confget\.py/\${NSCDE_TOOLSDIR}\/confget/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/confget\.py/\$NSCDE_TOOLSDIR\/confget/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/confget\.py/\$\[NSCDE_TOOLSDIR\]\/confget/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/confset\.py/\$NSCDE_TOOLSDIR\/confset/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/confset\.py/\${NSCDE_TOOLSDIR}\/confset/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/confset\.py/\$NSCDE_TOOLSDIR\/confset/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/confset\.py/\$\[NSCDE_TOOLSDIR\]\/confset/g' -o -f - > /tmp/_migrate_tmp1.$$ OSMACH=$(uname -sm | tr ' ' '_') cat /tmp/_migrate_tmp1.$$ | $ISED -c "s/\$NSCDE_ROOT\/bin\/fpclock-$OSMACH/\$NSCDE_TOOLSDIR\/$OSMACH\/fpclock/g" -o -f - | \ $ISED -c "s/\${NSCDE_ROOT}\/bin\/fpclock-$OSMACH/\${NSCDE_TOOLSDIR}\/$OSMACH\/fpclock/g" -o -f - | \ $ISED -c "s/\/opt\/NsCDE\/bin\/fpclock-$OSMACH/\$NSCDE_TOOLSDIR\/$OSMACH\/fpclock/g" -o -f - | \ $ISED -c "s/\$\[NSCDE_ROOT\]\/bin\/fpclock-$OSMACH/\$\[NSCDE_TOOLSDIR\]\/$OSMACH\/fpclock/g" -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c "s/\$NSCDE_ROOT\/bin\/fpclock-\$(uname -s)_\$(uname -m)/\$NSCDE_TOOLSDIR\/$OSMACH\/fpclock/g" -o -f - | \ $ISED -c "s/\${NSCDE_ROOT}\/bin\/fpclock-\$(uname -s)_\$(uname -m)/\${NSCDE_TOOLSDIR}\/$OSMACH\/fpclock/g" -o -f - | \ $ISED -c "s/\/opt\/NsCDE\/bin\/fpclock-\$(uname -s)_\$(uname -m)/\$NSCDE_TOOLSDIR\/$OSMACH\/fpclock/g" -o -f - | \ $ISED -c "s/\$\[NSCDE_ROOT\]\/bin\/fpclock-\$(uname -s)_\$(uname -m)/\$\[NSCDE_TOOLSDIR\]\/$OSMACH\/fpclock/g" -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/fpclock/\$NSCDE_TOOLSDIR\/fpclock/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/fpclock/\${NSCDE_TOOLSDIR}\/fpclock/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/fpclock/\$NSCDE_TOOLSDIR\/fpclock/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/fpclock/\$\[NSCDE_TOOLSDIR\]\/fpclock/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/getdpi/\$NSCDE_TOOLSDIR\/getdpi/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/getdpi/\${NSCDE_TOOLSDIR}\/getdpi/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/getdpi/\$NSCDE_TOOLSDIR\/getdpi/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/getdpi/\$\[NSCDE_TOOLSDIR\]\/getdpi/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/getfont/\$NSCDE_TOOLSDIR\/getfont/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/getfont/\${NSCDE_TOOLSDIR}\/getfont/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/getfont/\$NSCDE_TOOLSDIR\/getfont/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/getfont/\$\[NSCDE_TOOLSDIR\]\/getfont/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/ised/\$NSCDE_TOOLSDIR\/ised/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/ised/\${NSCDE_TOOLSDIR}\/ised/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/ised/\$NSCDE_TOOLSDIR\/ised/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/ised/\$\[NSCDE_TOOLSDIR\]\/ised/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/mkpagemenu/\$NSCDE_TOOLSDIR\/mkpagemenu/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/mkpagemenu/\${NSCDE_TOOLSDIR}\/mkpagemenu/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/mkpagemenu/\$NSCDE_TOOLSDIR\/mkpagemenu/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/mkpagemenu/\$\[NSCDE_TOOLSDIR\]\/mkpagemenu/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/nscde_colorpicker/\$NSCDE_TOOLSDIR\/colorpicker/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/nscde_colorpicker/\${NSCDE_TOOLSDIR}\/colorpicker/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/nscde_colorpicker/\$NSCDE_TOOLSDIR\/colorpicker/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/nscde_colorpicker/\$\[NSCDE_TOOLSDIR\]\/colorpicker/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/nscde_usleep/\$NSCDE_TOOLSDIR\/usleep/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/nscde_usleep/\${NSCDE_TOOLSDIR}\/usleep/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/nscde_usleep/\$NSCDE_TOOLSDIR\/usleep/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/nscde_usleep/\$\[NSCDE_TOOLSDIR\]\/usleep/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/nscde_var_append/\$NSCDE_TOOLSDIR\/var_append/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/nscde_var_append/\${NSCDE_TOOLSDIR}\/var_append/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/nscde_var_append/\$NSCDE_TOOLSDIR\/var_append/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/nscde_var_append/\$\[NSCDE_TOOLSDIR\]\/var_append/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/sysinfo\.py/\$NSCDE_TOOLSDIR\/sysinfo/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/sysinfo\.py/\${NSCDE_TOOLSDIR}\/sysinfo/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/sysinfo\.py/\$NSCDE_TOOLSDIR\/sysinfo/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/sysinfo\.py/\$\[NSCDE_TOOLSDIR\]\/sysinfo/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/bin\/xdowrapper/\$NSCDE_TOOLSDIR\/xdowrapper/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/bin\/xdowrapper/\${NSCDE_TOOLSDIR}\/xdowrapper/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/bin\/xdowrapper/\$NSCDE_TOOLSDIR\/xdowrapper/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/bin\/xdowrapper/\$\[NSCDE_TOOLSDIR\]\/xdowrapper/g' -o -f - > /tmp/_migrate_tmp1.$$ # Libexec cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/appfinder/\$NSCDE_TOOLSDIR\/appfinder/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/appfinder/\${NSCDE_TOOLSDIR}\/appfinder/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/appfinder/\$NSCDE_TOOLSDIR\/appfinder/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/appfinder/\$\[NSCDE_TOOLSDIR\]\/appfinder/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/backdropmgr/\$NSCDE_TOOLSDIR\/backdropmgr/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/backdropmgr/\${NSCDE_TOOLSDIR}\/backdropmgr/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/backdropmgr/\$NSCDE_TOOLSDIR\/backdropmgr/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/backdropmgr/\$\[NSCDE_TOOLSDIR\]\/backdropmgr/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/colormgr/\$NSCDE_TOOLSDIR\/colormgr/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/colormgr/\${NSCDE_TOOLSDIR}\/colormgr/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/colormgr/\$NSCDE_TOOLSDIR\/colormgr/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/colormgr/\$\[NSCDE_TOOLSDIR\]\/colormgr/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/fontmgr/\$NSCDE_TOOLSDIR\/fontmgr/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/fontmgr/\${NSCDE_TOOLSDIR}\/fontmgr/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/fontmgr/\$NSCDE_TOOLSDIR\/fontmgr/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/fontmgr/\$\[NSCDE_TOOLSDIR\]\/fontmgr/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/fpexec/\$NSCDE_TOOLSDIR\/fpexec/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/fpexec/\${NSCDE_TOOLSDIR}\/fpexec/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/fpexec/\$NSCDE_TOOLSDIR\/fpexec/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/fpexec/\$\[NSCDE_TOOLSDIR\]\/fpexec/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/fp_manage_subpanel/\$NSCDE_TOOLSDIR\/fp_manage_subpanel/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/fp_manage_subpanel/\${NSCDE_TOOLSDIR}\/fp_manage_subpanel/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/fp_manage_subpanel/\$NSCDE_TOOLSDIR\/fp_manage_subpanel/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/fp_manage_subpanel/\$\[NSCDE_TOOLSDIR\]\/fp_manage_subpanel/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/fpseticon/\$NSCDE_TOOLSDIR\/fpseticon/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/fpseticon/\${NSCDE_TOOLSDIR}\/fpseticon/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/fpseticon/\$NSCDE_TOOLSDIR\/fpseticon/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/fpseticon/\$\[NSCDE_TOOLSDIR\]\/fpseticon/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/generate_app_menus/\$NSCDE_TOOLSDIR\/generate_app_menus/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/generate_app_menus/\${NSCDE_TOOLSDIR}\/generate_app_menus/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/generate_app_menus/\$NSCDE_TOOLSDIR\/generate_app_menus/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/generate_app_menus/\$\[NSCDE_TOOLSDIR\]\/generate_app_menus/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/generate_subpanels/\$NSCDE_TOOLSDIR\/generate_subpanels/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/generate_subpanels/\${NSCDE_TOOLSDIR}\/generate_subpanels/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/generate_subpanels/\$NSCDE_TOOLSDIR\/generate_subpanels/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/generate_subpanels/\$\[NSCDE_TOOLSDIR\]\/generate_subpanels/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/keymenu/\$NSCDE_TOOLSDIR\/keymenu/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/keymenu/\${NSCDE_TOOLSDIR}\/keymenu/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/keymenu/\$NSCDE_TOOLSDIR\/keymenu/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/keymenu/\$\[NSCDE_TOOLSDIR\]\/keymenu/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/colorconv\.py/\$NSCDE_TOOLSDIR\/colorconv/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/colorconv\.py/\${NSCDE_TOOLSDIR}\/colorconv/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/colorconv\.py/\$NSCDE_TOOLSDIR\/colorconv/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/colorconv\.py/\$\[NSCDE_TOOLSDIR\]\/colorconv/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/geticon\.py/\$NSCDE_TOOLSDIR\/geticon/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/geticon\.py/\${NSCDE_TOOLSDIR}\/geticon/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/geticon\.py/\$NSCDE_TOOLSDIR\/geticon/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/geticon\.py/\$\[NSCDE_TOOLSDIR\]\/geticon/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/getla1\.py/\$NSCDE_TOOLSDIR\/getla1/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/getla1\.py/\${NSCDE_TOOLSDIR}\/getla1/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/getla1\.py/\$NSCDE_TOOLSDIR\/getla1/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/getla1\.py/\$\[NSCDE_TOOLSDIR\]\/getla1/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/nscde-acpi/\$NSCDE_TOOLSDIR\/acpimgr/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/nscde-acpi/\${NSCDE_TOOLSDIR}\/acpimgr/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/nscde-acpi/\$NSCDE_TOOLSDIR\/acpimgr/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/nscde-acpi/\$\[NSCDE_TOOLSDIR\]\/acpimgr/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/nscde_get_logical_screens/\$NSCDE_TOOLSDIR\/get_logical_screens/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/nscde_get_logical_screens/\${NSCDE_TOOLSDIR}\/get_logical_screens/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/nscde_get_logical_screens/\$NSCDE_TOOLSDIR\/get_logical_screens/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/nscde_get_logical_screens/\$\[NSCDE_TOOLSDIR\]\/get_logical_screens/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/nscde_palette_colorgen\.py/\$NSCDE_TOOLSDIR\/palette_colorgen/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/nscde_palette_colorgen\.py/\${NSCDE_TOOLSDIR}\/palette_colorgen/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/nscde_palette_colorgen\.py/\$NSCDE_TOOLSDIR\/palette_colorgen/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/nscde_palette_colorgen\.py/\$\[NSCDE_TOOLSDIR\]\/palette_colorgen/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/nscde_setup/\$NSCDE_TOOLSDIR\/bootstrap/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/nscde_setup/\${NSCDE_TOOLSDIR}\/bootstrap/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/nscde_setup/\$NSCDE_TOOLSDIR\/bootstrap/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/nscde_setup/\$\[NSCDE_TOOLSDIR\]\/bootstrap/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/strip_icon_path/\$NSCDE_TOOLSDIR\/strip_icon_path/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/strip_icon_path/\${NSCDE_TOOLSDIR}\/strip_icon_path/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/strip_icon_path/\$NSCDE_TOOLSDIR\/strip_icon_path/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/strip_icon_path/\$\[NSCDE_TOOLSDIR\]\/strip_icon_path/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/style_managers\.shlib/\$NSCDE_TOOLSDIR\/style_managers\.shlib/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/style_managers\.shlib/\${NSCDE_TOOLSDIR}\/style_managers\.shlib/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/style_managers\.shlib/\$NSCDE_TOOLSDIR\/style_managers\.shlib/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/style_managers\.shlib/\$\[NSCDE_TOOLSDIR\]\/style_managers\.shlib/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/subpanel_menuitem_props/\$NSCDE_TOOLSDIR\/subpanel_menuitem_props/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/subpanel_menuitem_props/\${NSCDE_TOOLSDIR}\/subpanel_menuitem_props/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/subpanel_menuitem_props/\$NSCDE_TOOLSDIR\/subpanel_menuitem_props/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/subpanel_menuitem_props/\$\[NSCDE_TOOLSDIR\]\/subpanel_menuitem_props/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/themegen.py/\$NSCDE_TOOLSDIR\/themegen/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/themegen.py/\${NSCDE_TOOLSDIR}\/themegen/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/themegen.py/\$NSCDE_TOOLSDIR\/themegen/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/themegen.py/\$\[NSCDE_TOOLSDIR\]\/themegen/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/libexec\/xrandr_backer/\$NSCDE_TOOLSDIR\/xrandr_backer/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/libexec\/xrandr_backer/\${NSCDE_TOOLSDIR}\/xrandr_backer/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/libexec\/xrandr_backer/\$NSCDE_TOOLSDIR\/xrandr_backer/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/libexec\/xrandr_backer/\$\[NSCDE_TOOLSDIR\]\/xrandr_backer/g' -o -f - > /tmp/_migrate_tmp1.$$ # Share paths cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/share\/config_templates\/integration/\$NSCDE_DATADIR\/integration/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/share\/config_templates\/integration/\${NSCDE_DATADIR}\/integration/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/share\/config_templates\/integration/\$NSCDE_DATADIR\/integration/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/share\/config_templates\/integration/\$\[NSCDE_DATADIR\]\/integration/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/share\/config_templates/\$NSCDE_DATADIR\/config_templates/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/share\/config_templates/\${NSCDE_DATADIR}\/config_templates/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/share\/config_templates/\$NSCDE_DATADIR\/config_templates/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/share\/config_templates/\$\[NSCDE_DATADIR\]\/config_templates/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/share\/palettes/\$NSCDE_DATADIR\/palettes/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/share\/palettes/\${NSCDE_DATADIR}\/palettes/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/share\/palettes/\$NSCDE_DATADIR\/palettes/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/share\/palettes/\$\[NSCDE_DATADIR\]\/palettes/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/share\/backdrops/\$NSCDE_DATADIR\/backdrops/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/share\/backdrops/\${NSCDE_DATADIR}\/backdrops/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/share\/backdrops/\$NSCDE_DATADIR\/backdrops/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/share\/backdrops/\$\[NSCDE_DATADIR\]\/backdrops/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/share\/photos/\$NSCDE_DATADIR\/photos/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/share\/photos/\${NSCDE_DATADIR}\/photos/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/share\/photos/\$NSCDE_DATADIR\/photos/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/share\/photos/\$\[NSCDE_DATADIR\]\/photos/g' -o -f - > /tmp/_migrate_tmp0.$$ # Scripts cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/lib\/scripts/\$NSCDE_LIBDIR\/scripts/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/lib\/scripts/\${NSCDE_LIBDIR}\/scripts/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/lib\/scripts/\$NSCDE_LIBDIR\/scripts/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/lib\/scripts/\$\[NSCDE_LIBDIR\]\/scripts/g' -o -f - > /tmp/_migrate_tmp1.$$ # Config cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/config\/AppMenus\.conf/\$NSCDE_DATADIR\/defaults\/AppMenus\.conf/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/config\/AppMenus\.conf/\${NSCDE_DATADIR}\/defaults\/AppMenus\.conf/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/config\/AppMenus\.conf/\$NSCDE_DATADIR\/defaults\/AppMenus\.conf/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/config\/AppMenus\.conf/\$\[NSCDE_DATADIR\]\/defaults\/AppMenus\.conf/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/config\/FrontPanel\.actions/\$NSCDE_DATADIR\/defaults\/FrontPanel\.actions/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/config\/FrontPanel\.actions/\${NSCDE_DATADIR}\/defaults\/FrontPanel\.actions/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/config\/FrontPanel\.actions/\$NSCDE_DATADIR\/defaults\/FrontPanel\.actions/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/config\/FrontPanel\.actions/\$\[NSCDE_DATADIR\]\/defaults\/FrontPanel\.actions/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/config\/Keymenu\.actions/\$NSCDE_DATADIR\/defaults\/Keymenu\.actions/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/config\/Keymenu\.actions/\${NSCDE_DATADIR}\/defaults\/Keymenu\.actions/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/config\/Keymenu\.actions/\$NSCDE_DATADIR\/defaults\/Keymenu\.actions/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/config\/Keymenu\.actions/\$\[NSCDE_DATADIR\]\/defaults\/Keymenu\.actions/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/config\/Subpanels\.actions/\$NSCDE_DATADIR\/defaults\/Subpanels\.actions/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/config\/Subpanels\.actions/\${NSCDE_DATADIR}\/defaults\/Subpanels\.actions/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/config\/Subpanels\.actions/\$NSCDE_DATADIR\/defaults\/Subpanels\.actions/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/config\/Subpanels\.actions/\$\[NSCDE_DATADIR\]\/defaults\/Subpanels\.actions/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/config\/WSM\.conf/\$NSCDE_DATADIR\/defaults\/WSM\.conf/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/config\/WSM\.conf/\${NSCDE_DATADIR}\/defaults\/WSM\.conf/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/config\/WSM\.conf/\$NSCDE_DATADIR\/defaults\/WSM\.conf/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/config\/WSM\.conf/\$\[NSCDE_DATADIR\]\/defaults\/WSM\.conf/g' -o -f - > /tmp/_migrate_tmp0.$$ cat /tmp/_migrate_tmp0.$$ | $ISED -c 's/\$NSCDE_ROOT\/config/\$NSCDE_DATADIR\/fvwm/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/config/\${NSCDE_DATADIR}\/fvwm/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/config/\$NSCDE_DATADIR\/fvwm/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/config/\$\[NSCDE_DATADIR\]\/fvwm/g' -o -f - > /tmp/_migrate_tmp1.$$ cat /tmp/_migrate_tmp1.$$ | $ISED -c 's/\$NSCDE_ROOT\/share\/icons\/NsCDE/\$NSCDE_DATADIR\/icons\/NsCDE/g' -o -f - | \ $ISED -c 's/\${NSCDE_ROOT}\/share\/icons\/NsCDE/\${NSCDE_DATADIR}\/icons\/NsCDE/g' -o -f - | \ $ISED -c 's/\/opt\/NsCDE\/share\/icons\/NsCDE/\$NSCDE_DATADIR\/icons\/NsCDE/g' -o -f - | \ $ISED -c 's/\$\[NSCDE_ROOT\]\/share\/icons\/NsCDE/\$\[NSCDE_DATADIR\]\/icons\/NsCDE/g' -o -f - > /tmp/_migrate_tmp0.$$ # Use cat(1) instead of mv(1) to preserve permissions and other file attributes. cat /tmp/_migrate_tmp0.$$ > $1 rm -f /tmp/_migrate_tmp1.$$ } function replace_confnames_in_files { old_confs_escaped="NsCDE-Backer\.conf NsCDE-Event\.conf NsCDE-FinishInit\.conf NsCDE-Form\.conf NsCDE-FrontPanel\.conf NsCDE-Functions\.conf NsCDE-IconMan\.conf NsCDE-Ident\.conf NsCDE-Init\.conf NsCDE-Keybindings\.conf NsCDE-Main\.conf NsCDE-Menus\.conf NsCDE-Monitors\.conf NsCDE-Mousebindings\.conf NsCDE-Pager-LocalPager\.conf NsCDE-Pager-WspLocPager\.conf NsCDE-Sandbox\.conf NsCDE-Script\.conf NsCDE-Style\.conf"; fail alterator-deploy-0.1.0-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/deploy: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/deploy ;; esac ;; write) case "${in__objects##*/}" in set) echo "Role: ${in_role:?}" >> /tmp/out echo "Parameter: ${in_parameter:?}" >> /tmp/out echo "Value: ${in_value:?}" >> /tmp/out set_parameter "${in_role:?}" "${in_parameter:?}" "${in_value?}" ;; reset) reset_parameter "${in_role:?}" "${in_parameter:?}" ;;; fail alterator-mass-management-0.1.7-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/mass-management: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/mass-management mkdir -p "$TASKS_DIR/task-$number" cat >"$TASKS_DIR/task-$number.yml" <> /tmp/mode.log echo "$(set|grep -a "in_")" >> /tmp/mode.log case "$in_action" in type) write_type_item hostlist hostname-list #write_type_item add_host hostname ;;; fail alterator-net-domain-0.7.3-alt4.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/net-domain: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/net-domain ## https://www.altlinux.org/ActiveDirectory/DC ad_provision_domain() { local domain_name="$1" shift local log="/tmp/samba-dc-provision-$(date +%d.%m.%Y-%H:%M:%S)-$domain_name.log" # Begin log date > "$log" echo "Domain: $domain_name" >> "$log" echo >> "$log" -- if [ "$in_domain_type" = 'ad' ]; then if ipa_install_running; then ipa_install_stop fi env > /tmp/net-domain.txt ad_current_domain="$($samba_tool domain info '127.0.0.1' | sed 's/ *: /:/' | sed -n 's/^Domain://p')" # Check creation of existing domain if [ "$ad_current_domain" != "$in_domain" ]; then write_domain "$in_domain" "1"; fail alterator-preinstall-0.9.2-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/preinstall: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/preinstall # run scripts for f in "$preinstall_dir"/*; do [ -f "$f" -a -x "$f" ] || continue echo "Running $f" >>/tmp/preinstall.log if "$f" >>/tmp/preinstall.log 2>&1; then notify "package \"${f##*/}\" step $counter" counter=$(($counter + 1)) printf '%s %s - OK\n' "$(date +%T)" "$f" >&2 else notify "error \"${f##*/}\"" -- notify "package \" \" step $max" # replace itself with alteratord from chroot [ -d "$ALTERATOR_DESTDIR" ] || return 0 rm -f /tmp/alterator/.socket chroot "$ALTERATOR_DESTDIR" /etc/init.d/alteratord start mount -o bind $destdir$alteratord_socket_dir $alteratord_socket_dir # wait until new alteratord is ready to use alterator-wait; fail asterisk-20.9.3-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/asterisk/scripts/ast_loggrabber: $ grep -A5 -B5 /tmp/ /usr/share/asterisk/scripts/ast_loggrabber # Timestamp to use for output files df=${tarball_uniqueid:-$(${DATEFORMAT})} # Extract the Python timestamp conver script from the end of this # script and save it to /tmp/.ast_tsconvert.py ss=`egrep -n "^#@@@SCRIPTSTART@@@" $0 |cut -f1 -d:` tail -n +${ss} $0 >/tmp/.ast_tsconvert.py tmpdir=$(mktemp -d) if [ -z "$tmpdir" ] ; then echo "${prog}: Unable to create temporary directory." exit 1 -- destdir="$tmpdir/$tardir/$(dirname $lf)" destfile="$tmpdir/$tardir/$lf" mkdir -p "$destdir" 2>/dev/null || : if [ -n "$LOG_DATEFORMAT" ] ; then echo "Converting $lf" cat "$lf" | python /tmp/.ast_tsconvert.py --format="$LOG_DATEFORMAT" --timezone="$LOG_TIMEZONE" > "${destfile}" else echo "Copying $lf" cp "$lf" "${destfile}" fi done echo "Creating /tmp/$tardir.tar.gz" tar -czvf /tmp/$tardir.tar.gz -C $tmpdir $tardir 2>/dev/null exit # Be careful editing the inline scripts. # They're space-indented. Found error in /usr/sbin/astversion: $ grep -A5 -B5 /tmp/ /usr/sbin/astversion # source directories to search SRC_DIRS=() main() { TMPFILE="/tmp/astversion.$$" sanity_check locate_files "$@" locate_libraries locate_modules -- scan_package_redhat() { PKGNAME="$1" if ! rpm -q $PKGNAME > /tmp/astversion-$PKGNAME-version then rm -f /tmp/astversion-$PKGNAME-version return 2 fi rpm -ql $PKGNAME > /tmp/astversion-$PKGNAME-files rpm -V $PKGNAME > /tmp/astversion-$PKGNAME-verify return 0 } scan_package_debian() { PKGNAME="$1" if ! dpkg -s $PKGNAME > $TMPFILE then rm -f /tmp/astversion-$PKGNAME-version return 2 fi # prefix the version with the package name to mimic rpm echo -n "$PKGNAME " > /tmp/astversion-$PKGNAME-version cat $TMPFILE | fgrep Version |cut -d ' ' -f2 >> /tmp/astversion-$PKGNAME-version dpkg -L $PKGNAME > /tmp/astversion-$PKGNAME-files dpkg -V $PKGNAME > /tmp/astversion-$PKGNAME-verify } package_has_file() { PKGNAME="$1" PKGFILE="$2" if [ ! -f /tmp/astversion-$PKGNAME-version ] then return 1 fi if [ ! -f /tmp/astversion-$PKGNAME-files ] then return 2 fi if ! fgrep "$PKGFILE" /tmp/astversion-$PKGNAME-files >/dev/null then # package doesn't have that file return 3 fi if fgrep "$PKGFILE" /tmp/astversion-$PKGNAME-verify >/dev/null then # file does not match package return 4 fi -- { # search each package and report files that match for PACKAGE in ${PACKAGES[@]} do scan_package_$DISTRO "$PACKAGE" PKGVERSION=$(cat /tmp/astversion-$PKGNAME-version) FOUND=() for FILE in ${FILES[@]} do if package_has_file "$PACKAGE" "$FILE" -- else echo "Matched ${#FOUND[@]} files to package $PKGVERSION" fi fi rm -f /tmp/astversion-$PKGNAME-version rm -f /tmp/astversion-$PKGNAME-files rm -f /tmp/astversion-$PKGNAME-verify done } search_source() {; fail bacula15-director-common-15.0.3-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/bacula15-director-common-15.0.3/updatedb/update_mysql_tables_11_to_12: $ grep -A5 -B5 /tmp/ /usr/share/doc/bacula15-director-common-15.0.3/updatedb/update_mysql_tables_11_to_12 echo " " bindir=/usr/bin PATH="$bindir:$PATH" db_name=${db_name:-bacula} mysql $* -D ${db_name} -e "select VersionId from Version\G" >/tmp/$$ DBVERSION=`sed -n -e 's/^VersionId: $.*$$/\1/p' /tmp/$$` if [ $DBVERSION != 11 ] ; then echo " " echo "The existing database is version $DBVERSION !!" echo "This script can only update an existing version 11 database to version 12." echo "Error. Cannot upgrade this database."; fail bacula15-director-mysql-15.0.3-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/bacula/scripts/update_mysql_tables: $ grep -A5 -B5 /tmp/ /usr/share/bacula/scripts/update_mysql_tables ARGS=$* getVersion() { mysql $ARGS -D ${db_name} -e "select VersionId from Version LIMIT 1\G" >/tmp/$$ DBVERSION=`sed -n -e 's/^VersionId: $.*$$/\1/p' /tmp/$$` } getVersion if [ "x$DBVERSION" = x ]; then; fail displaylink-driver-6.1.0-alt1.17.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/systemd/system-sleep/displaylink.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/system-sleep/displaylink.sh # Copyright (c) 2015 - 2019 DisplayLink (UK) Ltd. suspend_displaylink-driver() { #flush any bytes in pipe while read -n 1 -t 1 SUSPEND_RESULT < /tmp/PmMessagesPort_out; do : ; done; #suspend DisplayLinkManager echo "S" > /tmp/PmMessagesPort_in if [ -p /tmp/PmMessagesPort_out ]; then #wait until suspend of DisplayLinkManager finish read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out fi } resume_displaylink-driver() { #resume DisplayLinkManager echo "R" > /tmp/PmMessagesPort_in } main_systemd() { case "\$1/\$2" in; fail dogtag-pki-server-11.4.3-alt4.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/pki/server/bin/pki-server-run: $ grep -A5 -B5 /tmp/ /usr/share/pki/server/bin/pki-server-run [ -f /var/lib/tomcats/pki/conf/certs/ca_signing.key ] then echo "INFO: Importing CA Signing Certificate and Key" # generate random password openssl rand -hex 8 > /tmp/password # import PEM cert and key into PKCS #12 file openssl pkcs12 -export \ -in /var/lib/tomcats/pki/conf/certs/ca_signing.crt \ -inkey /var/lib/tomcats/pki/conf/certs/ca_signing.key \ -out /tmp/certs.p12 \ -name ca_signing \ -passout file:/tmp/password # import PKCS #12 file into NSS database pki -d /var/lib/tomcats/pki/conf/alias pkcs12-import \ --pkcs12 /tmp/certs.p12 \ --password-file /tmp/password # trust imported CA signing cert certutil -M -d /var/lib/tomcats/pki/conf/alias -n ca_signing -t CT,C,C rm /tmp/certs.p12 rm /tmp/password fi # import certs.p12 if available if [ -f /var/lib/tomcats/pki/conf/certs/certs.p12 ] then -- # generate CA signing CSR pki -d /var/lib/tomcats/pki/conf/alias nss-cert-request \ --subject "CN=CA Signing Certificate" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ --csr /tmp/ca_signing.csr # issue self-signed CA signing cert pki -d /var/lib/tomcats/pki/conf/alias nss-cert-issue \ --csr /tmp/ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ --months-valid 12 \ --cert /tmp/ca_signing.crt # import and trust CA signing cert into NSS database pki -d /var/lib/tomcats/pki/conf/alias nss-cert-import \ --cert /tmp/ca_signing.crt \ --trust CT,C,C \ ca_signing rm /tmp/ca_signing.crt rm /tmp/ca_signing.csr fi echo "INFO: CA Signing Certificate:" certutil -L -d /var/lib/tomcats/pki/conf/alias -n ca_signing -- # generate SSL server CSR pki -d /var/lib/tomcats/pki/conf/alias nss-cert-request \ --subject "CN=$HOSTNAME" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr /tmp/sslserver.csr # issue SSL server cert pki -d /var/lib/tomcats/pki/conf/alias nss-cert-issue \ --issuer ca_signing \ --csr /tmp/sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ --cert /tmp/sslserver.crt # import SSL server cert into NSS database pki -d /var/lib/tomcats/pki/conf/alias nss-cert-import \ --cert /tmp/sslserver.crt \ sslserver rm /tmp/sslserver.crt rm /tmp/sslserver.csr fi echo "INFO: SSL Server Certificate:" certutil -L -d /var/lib/tomcats/pki/conf/alias -n sslserver; fail dracut-105-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/dracut/modules.d/99base/init.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/99base/init.sh # # Copyright 2008-2010, Red Hat, Inc. # Harald Hoyer # Jeremy Katz export -p > /tmp/export.orig NEWROOT="/sysroot" [ -d $NEWROOT ] || mkdir -p -m 0755 $NEWROOT OLDPATH=$PATH -- echo "$line" >> /etc/cmdline.d/99-cmdline-ask.conf done fi if ! getargbool 1 'rd.hostonly'; then [ -f /etc/cmdline.d/99-cmdline-ask.conf ] && mv /etc/cmdline.d/99-cmdline-ask.conf /tmp/99-cmdline-ask.conf remove_hostonly_files [ -f /tmp/99-cmdline-ask.conf ] && mv /tmp/99-cmdline-ask.conf /etc/cmdline.d/99-cmdline-ask.conf fi # run scriptlets to parse the command line make_trace_mem "hook cmdline" '1+:mem' '1+:iomem' '3+:slab' getargs 'rd.break=cmdline' && emergency_shell -n cmdline "Break before cmdline" -- *) unset "$i" ;; esac done . /tmp/export.orig 2> /dev/null || : rm -f -- /tmp/export.orig initargs="" read -r CLINE < /proc/cmdline if getarg init= > /dev/null; then ignoreargs="console BOOT_IMAGE" Found error in /usr/lib/dracut/modules.d/98syslog/rsyslogd-start.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/98syslog/rsyslogd-start.sh set -f for filter in $filters; do echo "${filter} @${server}" done ) #echo "*.* /tmp/syslog" } [ -f /tmp/syslog.type ] && read -r type < /tmp/syslog.type [ -f /tmp/syslog.server ] && read -r server < /tmp/syslog.server [ -f /tmp/syslog.filters ] && read -r filters < /tmp/syslog.filters [ -z "$filters" ] && filters="kern.*" [ -f /tmp/syslog.conf ] && read -r conf < /tmp/syslog.conf [ -z "$conf" ] && conf="/etc/rsyslog.conf" && echo "$conf" > /tmp/syslog.conf if [ "$type" = "rsyslogd" ]; then template=/etc/templates/rsyslog.conf if [ -n "$server" ]; then rsyslog_config "$server" "$template" "$filters" > "$conf" Found error in /usr/lib/dracut/modules.d/98syslog/parse-syslog-opts.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/98syslog/parse-syslog-opts.sh syslogserver=$(getarg syslog.server -d syslog) syslogfilters=$(getargs syslog.filter -d filter) syslogtype=$(getarg syslog.type -d syslogtype) [ -n "$syslogserver" ] && echo "$syslogserver" > /tmp/syslog.server [ -n "$syslogfilters" ] && echo "$syslogfilters" > /tmp/syslog.filters if [ -n "$syslogtype" ]; then echo "$syslogtype" > /tmp/syslog.type else syslogtype=$(detect_syslog) echo "$syslogtype" > /tmp/syslog.type fi Found error in /usr/lib/dracut/modules.d/95nvmf/parse-nvmf-boot-connections.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/95nvmf/parse-nvmf-boot-connections.sh vlan=$(nbft_run_jq .vlan "$hfi_json") || vlan=0 # treat VLAN zero as "no vlan" [ "$vlan" -ne 0 ] || vlan= [ ! -e /tmp/net."${iface}${vlan:+.$vlan}".has_ibft_config ] || return 0 dhcp=$(nbft_run_jq -r .dhcp_server_ipaddr "$hfi_json") # We need to check $? here as the above is an assignment # shellcheck disable=2181 if [ $? -eq 0 ] && [ "$dhcp" ] && [ "$dhcp" != null ]; then -- echo "ip=$ipaddr::$gateway:$prefix:$hostname:$iface${vlan:+.$vlan}:none${dns1:+:$dns1}${dns2:+:$dns2}" fi if [ "$vlan" ]; then echo "vlan=$iface.$vlan:$iface" echo "$mac" > "/tmp/net.$iface.$vlan.has_ibft_config" else echo "$mac" > "/tmp/net.$iface.has_ibft_config" fi : > /tmp/valid_nbft_entry_found } nbft_parse() { local nbft_json n_nbft all_hfi_json n_hfi local j=0 i -- if [ "$traddr" = "none" ]; then warn "traddr is mandatory for $trtype" return 0 fi if [ "$trtype" = "tcp" ]; then : > /tmp/nvmf_needs_network elif [ "$trtype" = "fc" ]; then if [ "$traddr" = "auto" ]; then rm -f /etc/nvme/discovery.conf /etc/nvme/config.json return 1 fi -- nvmf_hostid=$(getarg rd.nvmf.hostid -d nvmf.hostid=) if [ -n "$nvmf_hostid" ]; then echo "$nvmf_hostid" > /etc/nvme/hostid fi rm -f /tmp/nvmf-fc-auto for d in $(getargs rd.nvmf.discover -d nvmf.discover=); do parse_nvmf_discover "$d" || { : > /tmp/nvmf-fc-auto break } done if [ -e /tmp/nvmf_needs_network ] || [ -e /tmp/valid_nbft_entry_found ]; then echo "rd.neednet=1" > /etc/cmdline.d/nvmf-neednet.conf # netroot is a global variable that is present in all "sourced" scripts # shellcheck disable=SC2034 netroot=nbft rm -f /tmp/nvmf_needs_network fi /sbin/initqueue --settled --onetime --name nvmf-connect-settled /sbin/nvmf-autoconnect.sh settled /sbin/initqueue --timeout --onetime --name nvmf-connect-timeout /sbin/nvmf-autoconnect.sh timeout Found error in /usr/lib/dracut/modules.d/90dmraid/dmraid.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmraid/dmraid.sh type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh devenc=$(str_replace "$1" '/' '\2f') [ -e /tmp/dmraid."$devenc" ] && exit 0 : > /tmp/dmraid."$devenc" DM_RAIDS=$(getargs rd.dm.uuid) if [ -n "$DM_RAIDS" ] || getargbool 0 rd.auto; then # run dmraid if udev has settled Found error in /usr/lib/dracut/modules.d/90crypt/probe-keydev.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90crypt/probe-keydev.sh info "Probing $real_keydev for $keypath..." test_dev -f "$real_keydev" "$keypath" || exit 1 info "Found $keypath on $real_keydev" echo "$luksdev:$real_keydev:$keypath" >> /tmp/luks.keys Found error in /usr/lib/dracut/modules.d/90crypt/parse-keydev.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90crypt/parse-keydev.sh fi # A keydev of '/' is treated as the initrd itself if [ "/" = "$keydev" ]; then [ -z "$luksdev" ] && luksdev='*' echo "$luksdev:$keydev:$keypath" >> /tmp/luks.keys continue elif [ -n "$keydev" ]; then udevmatch "$keydev" >&7 || { warn 'keydev incorrect!' continue Found error in /usr/lib/dracut/modules.d/04watchdog/watchdog.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/04watchdog/watchdog.sh #!/bin/sh if [ -e /dev/watchdog ]; then if [ ! -e /tmp/watchdog_timeout ]; then wdctl -s 60 /dev/watchdog > /dev/null 2>&1 : > /tmp/watchdog_timeout fi info "Triggering watchdog" : > /dev/watchdog else modprobe i6300esb; fail dracut-live-105-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/dracut/modules.d/90livenet/parse-livenet.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90livenet/parse-livenet.sh # live updates updates=$(getarg live.updates=) if [ -n "$updates" ]; then # make sure network comes up even if we're doing a local live device if [ -z "$netroot" ]; then echo > /tmp/net.ifaces fi echo "$updates" > /tmp/liveupdates.info echo '[ -e /tmp/liveupdates.done ]' > "$hookdir"/initqueue/finished/liveupdates.sh fi str_starts "$root" "live:" && liveurl="$root" str_starts "$liveurl" "live:" || return liveurl="${liveurl#live:}" Found error in /usr/lib/dracut/modules.d/90livenet/livenetroot.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90livenet/livenetroot.sh PATH=/usr/sbin:/usr/bin:/sbin:/bin RETRIES=${RETRIES:-100} SLEEP=${SLEEP:-5} [ -e /tmp/livenet.downloaded ] && exit 0 # args get passed from 40network/netroot netroot="$2" liveurl="${netroot#livenet:}" info "fetching $liveurl" -- sleep "$SLEEP" fi i=$((i + 1)) done > /tmp/livenet.downloaded # TODO: couldn't dmsquash-live-root handle this? if [ "${imgfile##*.}" = "iso" ]; then root=$(losetup -f) losetup "$root" "$imgfile" Found error in /usr/lib/dracut/modules.d/90dmsquash-live-autooverlay/create-overlay.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmsquash-live-autooverlay/create-overlay.sh #!/bin/sh type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh if getargbool 0 rd.live.debug; then exec > /tmp/create-overlay.$$.out exec 2>> /tmp/create-overlay.$$.out set -x fi gatherData() { overlay=$(getarg rd.live.overlay) Found error in /usr/lib/dracut/modules.d/90dmsquash-live/iso-scan.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmsquash-live/iso-scan.sh do_iso_scan() { local _name local dev for dev in /dev/disk/by-uuid/*; do _name=$(dev_unit_name "$dev") [ -e /tmp/isoscan-"${_name}" ] && continue : > /tmp/isoscan-"${_name}" mount -t auto -o ro "$dev" "/run/initramfs/isoscan" || continue if [ -f "/run/initramfs/isoscan/$isofile" ]; then losetup -f "/run/initramfs/isoscan/$isofile" udevadm trigger --action=add > /dev/null 2>&1 ln -s "$dev" /run/initramfs/isoscandev Found error in /usr/lib/dracut/modules.d/90dmsquash-live/dmsquash-live-root.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/90dmsquash-live/dmsquash-live-root.sh command -v unpack_archive > /dev/null || . /lib/img-lib.sh PATH=/usr/sbin:/usr/bin:/sbin:/bin if getargbool 0 rd.live.debug; then exec > /tmp/liveroot.$$.out exec 2>> /tmp/liveroot.$$.out set -x fi [ -z "$1" ] && exit 1 livedev="$1"; fail dracut-network-105-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/dracut/modules.d/95iscsi/parse-iscsiroot.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/95iscsi/parse-iscsiroot.sh [ -z "$netroot" ] && netroot=iscsi: fi modprobe -b -q iscsi_boot_sysfs 2> /dev/null modprobe -b -q iscsi_ibft # if no ip= is given, but firmware echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > "$hookdir"/initqueue/finished/iscsi_started.sh initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT" initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT" initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'" fi -- sleep 1 fi fi # If not given on the cmdline and initiator-name available via iBFT if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name) if [ -n "$iscsi_initiator" ]; then echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi rm -f /etc/iscsi/initiatorname.iscsi mkdir -p /etc/iscsi ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi : > /tmp/iscsi_set_initiator if [ -n "$DRACUT_SYSTEMD" ]; then systemctl try-restart iscsid # FIXME: iscsid is not yet ready, when the service is :-/ sleep 1 fi -- for nroot in $(getargs netroot); do [ "${nroot%%:*}" = "iscsi" ] || continue type parse_iscsi_root > /dev/null 2>&1 || . /lib/net-lib.sh parse_iscsi_root "$nroot" || return 1 netroot_enc=$(str_replace "$nroot" '/' '\2f') echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-$netroot_enc' ]" > "$hookdir"/initqueue/finished/iscsi_started.sh done # Done, all good! # shellcheck disable=SC2034 rootok=1 Found error in /usr/lib/dracut/modules.d/95iscsi/iscsiroot.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/95iscsi/iscsiroot.sh modprobe crc32c 2> /dev/null # start iscsiuio if needed if [ -z "${DRACUT_SYSTEMD}" ] \ && { [ -e /sys/module/bnx2i ] || [ -e /sys/module/qedi ]; } \ && ! [ -e /tmp/iscsiuio-started ]; then iscsiuio : > /tmp/iscsiuio-started fi handle_firmware() { local ifaces retry _res -- else ifaces=$( set -- /sys/firmware/ibft/ethernet* echo $# ) read -r retry < /tmp/session-retry if [ "$retry" -lt "$ifaces" ]; then retry=$((retry + 1)) echo $retry > /tmp/session-retry return 1 else rm /tmp/session-retry fi # check to see if we have the new iscsiadm command, # that supports the "no-wait" (-W) flag. If so, use it. iscsiadm -m fw -l -W 2> /dev/null -- else need_shutdown fi fi [ -d /sys/class/iscsi_session ] || return 1 echo 'started' > "/tmp/iscsistarted-iscsi:" echo 'started' > "/tmp/iscsistarted-firmware" return 0 } handle_netroot() { -- # XXX is this needed? getarg ro && iscsirw=ro getarg rw && iscsirw=rw fsopts=${fsopts:+$fsopts,}${iscsirw} if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name) echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi rm -f /etc/iscsi/initiatorname.iscsi mkdir -p /etc/iscsi ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi : > /tmp/iscsi_set_initiator if [ -n "$DRACUT_SYSTEMD" ]; then systemctl try-restart iscsid # FIXME: iscsid is not yet ready, when the service is :-/ sleep 1 fi -- iscsi_initiator=$(iscsi-iname) echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi rm -f /etc/iscsi/initiatorname.iscsi mkdir -p /etc/iscsi ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi : > /tmp/iscsi_set_initiator if [ -n "$DRACUT_SYSTEMD" ]; then systemctl try-restart iscsid # FIXME: iscsid is not yet ready, when the service is :-/ sleep 1 fi -- return 1 fi : > "$hookdir"/initqueue/work netroot_enc=$(str_replace "$1" '/' '\2f') echo 'started' > "/tmp/iscsistarted-iscsi:${netroot_enc}" return 0 } ret=0 -- sleep 2 fi if getargbool 0 rd.iscsi.firmware -d -y iscsi_firmware; then if [ "$netif" = "timeout" ] || [ "$netif" = "online" ] || [ "$netif" = "dummy" ]; then [ -f /tmp/session-retry ] || echo 1 > /tmp/session-retry handle_firmware ret=$? fi fi Found error in /usr/lib/dracut/modules.d/45net-lib/net-lib.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/45net-lib/net-lib.sh #!/bin/sh # shellcheck disable=SC2034 IFNETFILE="/tmp/bootnetif" is_ip() { echo "$1" | { IFS=. read -r a b c d test "$a" -ge 0 -a "$a" -le 255 \ -- } # list the configured interfaces configured_ifaces() { local IFACES="" iface_id="" rv=1 [ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces if { pidof udevd || pidof systemd-udevd; } > /dev/null; then for iface_id in $IFACES; do printf "%s\n" "$(iface_name "$iface_id")" rv=0 done -- return $rv } all_ifaces_up() { local iface="" IFACES="" [ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces for iface in $IFACES; do [ -e /tmp/net."$iface".up ] || return 1 done } all_ifaces_setup() { local iface="" IFACES="" [ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces for iface in $IFACES; do [ -e /tmp/net."$iface".did-setup ] || return 1 done } get_netroot_ip() { local prefix="" server="" rest="" -- local netif="$1" # ip down/flush ensures that routing info goes away as well ip link set "$netif" down ip addr flush dev "$netif" echo "#empty" > /etc/resolv.conf rm -f -- /tmp/net."$netif".did-setup [ -z "$DO_VLAN" ] \ && [ -e /sys/class/net/"$netif"/address ] \ && rm -f -- "/tmp/net.$(cat /sys/class/net/"$netif"/address).did-setup" # TODO: send "offline" uevent? } setup_net() { local netif="$1" f="" gw_ip="" netroot_ip="" iface="" IFACES="" local _p [ -e /tmp/net."$netif".did-setup ] && return [ -z "$DO_VLAN" ] \ && [ -e /sys/class/net/"$netif"/address ] \ && [ -e "/tmp/net.$(cat /sys/class/net/"$netif"/address).did-setup" ] && return [ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces [ -z "$IFACES" ] && IFACES="$netif" # run the scripts written by ifup # shellcheck disable=SC1090 [ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname # shellcheck disable=SC1090 [ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override # shellcheck disable=SC1090 [ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts # set up resolv.conf [ -e /tmp/net."$netif".resolv.conf ] \ && awk '!array[$0]++' /tmp/net."$netif".resolv.conf > /etc/resolv.conf # shellcheck disable=SC1090 [ -e /tmp/net."$netif".gw ] && . /tmp/net."$netif".gw # add static route for _p in $(getargs rd.route); do route_to_var "$_p" || continue [ -n "$route_dev" ] && [ "$route_dev" != "$netif" ] && continue ip route add "$route_mask" ${route_gw:+via $route_gw} ${route_dev:+dev $route_dev} if strstr "$route_mask" ":"; then printf -- "%s\n" "$route_mask ${route_gw:+via $route_gw} ${route_dev:+dev $route_dev}" \ > /tmp/net.route6."$netif" else printf -- "%s\n" "$route_mask ${route_gw:+via $route_gw} ${route_dev:+dev $route_dev}" \ > /tmp/net.route."$netif" fi done # If a static route was necessary to reach the gateway, the # first gateway setup call will have failed with # RTNETLINK answers: Network is unreachable # Replace the default route again after static routes to cover # this scenario. # shellcheck disable=SC1090 [ -e /tmp/net."$netif".gw ] && . /tmp/net."$netif".gw # Handle STP Timeout: arping the default gateway. # (or the root server, if a) it's local or b) there's no gateway.) # Note: This assumes that if no router is present the # root server is on the same subnet. -- arping -q -f -w 60 -I "$netif" "$dest" || info "Resolving $dest via ARP on $netif failed" fi fi unset layer2 : > /tmp/net."$netif".did-setup [ -z "$DO_VLAN" ] \ && [ -e /sys/class/net/"$netif"/address ] \ && : > "/tmp/net.$(cat /sys/class/net/"$netif"/address).did-setup" } save_netinfo() { local netif="$1" IFACES="" f="" i="" [ -e /tmp/net.ifaces ] && read -r IFACES < /tmp/net.ifaces # Add $netif to the front of IFACES (if it's not there already). set -- "$netif" for i in $IFACES; do [ "$i" != "$netif" ] && set -- "$@" "$i"; done IFACES="$*" for i in $IFACES; do for f in "/tmp/dhclient.$i."*; do [ -f "$f" ] && cp -f "$f" /tmp/net."${f#/tmp/dhclient.}" done done echo "$IFACES" > /tmp/.net.ifaces.new mv /tmp/.net.ifaces.new /tmp/net.ifaces } set_ifname() { local name="$1" mac="$2" num=-1 n="" # if it's already set, return the existing name for n in $(getargs ifname=); do strstr "$n" "$mac" && echo "${n%%:*}" && return done [ ! -f "/tmp/set_ifname_$name" ] || read -r num < "/tmp/set_ifname_$name" # otherwise, pick a new name and use that while :; do num=$((num + 1)) [ -e /sys/class/net/"$name"$num ] && continue for n in $(getargs ifname=); do [ "$name$num" = "${n%%:*}" ] && continue 2 done break done echo "ifname=$name$num:$mac" >> /etc/cmdline.d/45-ifname.conf echo "$num" > "/tmp/set_ifname_$name" echo "$name$num" } # pxelinux provides macaddr '-' separated, but we need ':' fix_bootif() { -- [ -e "${iface}"/mac ] || continue read -r mac < "${iface}"/mac [ -z "$mac" ] && continue dev=$(set_ifname ibft "$mac") [ -e /tmp/net."${dev}".has_ibft_config ] && continue [ -e "${iface}"/flags ] && read -r flags < "${iface}"/flags # Skip invalid interfaces awk -- 'BEGIN { exit (!and('"$flags"',1)) }' || continue # Skip interfaces not used for booting unless using multipath -- read -r vlan < "${iface}"/vlan if [ "$vlan" -ne "0" ]; then case "$vlan" in [0-9]*) echo "vlan=$dev.$vlan:$dev" echo "$mac" > /tmp/net."${dev}"."${vlan}".has_ibft_config ;; *) echo "vlan=$vlan:$dev" echo "$mac" > /tmp/net."${vlan}".has_ibft_config ;; esac else echo "$mac" > /tmp/net."${dev}".has_ibft_config fi else echo "$mac" > /tmp/net."${dev}".has_ibft_config fi done ) >> /etc/cmdline.d/40-ibft.conf } Found error in /usr/lib/dracut/modules.d/45net-lib/ifname-genrules.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/45net-lib/ifname-genrules.sh { for p in $(getargs ifname=); do parse_ifname_opts "$p" if [ -f /tmp/ifname-"$ifname_mac" ]; then read -r oldif < /tmp/ifname-"$ifname_mac" fi if [ -f /tmp/ifname-"$ifname_if" ]; then read -r oldmac < /tmp/ifname-"$ifname_if" fi if [ -n "$oldif" ] && [ -n "$oldmac" ] && [ "$oldif" = "$ifname_if" ] && [ "$oldmac" = "$ifname_mac" ]; then # skip same ifname= declaration continue fi [ -n "$oldif" ] && warn "Multiple interface names specified for MAC $ifname_mac: $oldif" [ -n "$oldmac" ] && warn "Multiple MAC specified for $ifname_if: $oldmac" printf 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="%s", ATTR{type}=="1", NAME="%s"\n' "$ifname_mac" "$ifname_if" echo "$ifname_if" > /tmp/ifname-"$ifname_mac" echo "$ifname_mac" > /tmp/ifname-"$ifname_if" done } >> /etc/udev/rules.d/80-ifname.rules Found error in /usr/lib/dracut/modules.d/35network-legacy/parse-vlan.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35network-legacy/parse-vlan.sh unset phydevice if [ ! "$vlan" = "vlan" ]; then parsevlan "$vlan" fi echo "phydevice=\"$phydevice\"" > /tmp/vlan."${phydevice}".phy { echo "vlanname=\"$vlanname\"" echo "phydevice=\"$phydevice\"" } > /tmp/vlan."${vlanname}"."${phydevice}" done Found error in /usr/lib/dracut/modules.d/35network-legacy/parse-team.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35network-legacy/parse-team.sh { echo "teammaster=$teammaster" echo "teamslaves=\"$teamslaves\"" echo "teamrunner=\"$teamrunner\"" } > /tmp/team."${teammaster}".info if ! [ -e /etc/teamd/"${teammaster}".conf ]; then warn "Team master $teammaster specified, but no /etc/teamd/$teammaster.conf present. Using $teamrunner." mkdir -p /etc/teamd printf -- "%s" "{\"runner\": {\"name\": \"$teamrunner\"}, \"link_watch\": {\"name\": \"ethtool\"}}" > "/tmp/${teammaster}.conf" fi done Found error in /usr/lib/dracut/modules.d/35network-legacy/parse-ip-opts.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35network-legacy/parse-ip-opts.sh IFACES="${IFACES%"$BOOTDEV"*} ${IFACES#*"$BOOTDEV"}" IFACES="$BOOTDEV $IFACES" fi # Store BOOTDEV and IFACES for later use [ -n "$BOOTDEV" ] && echo "$BOOTDEV" > /tmp/net.bootdev [ -n "$IFACES" ] && echo "$IFACES" > /tmp/net.ifaces Found error in /usr/lib/dracut/modules.d/35network-legacy/dhcp-multi.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35network-legacy/dhcp-multi.sh dhclient "$arg" \ ${_timeout:+--timeout "$_timeout"} \ -q \ -1 \ -cf /etc/dhclient.conf \ -pf /tmp/dhclient."$netif".pid \ -lf /tmp/dhclient."$netif".lease \ "$netif" & wait $! 2> /dev/null # wait will return the return value of dhclient retv=$? -- fi # If dhclient exited before wait was called, or it was killed by # another thread for interface whose DHCP succeeded, then it will not # find the process with that pid and return error code 127. In that # case we need to check if /tmp/dhclient.$netif.lease exists. If it # does, it means dhclient finished executing before wait was called, # and it was successful (return 0). If /tmp/dhclient.$netif.lease # does not exist, then it means dhclient was killed by another thread # or it finished execution but failed dhcp on that interface. if [ $retv -eq 127 ]; then read -r pid < /tmp/dhclient."$netif".pid info "PID $pid was not found by wait for $netif" if [ -e /tmp/dhclient."$netif".lease ]; then info "PID $pid not found but DHCP successful on $netif" return 0 fi fi -- [ $_COUNT -lt "$_DHCPRETRY" ] && sleep 1 done warn "dhcp for interface $netif failed" # nuke those files since we failed; we might retry dhcp again if it's e.g. # `ip=dhcp,dhcp6` and we check for the PID file earlier rm -f /tmp/dhclient."$netif".pid /tmp/dhclient."$netif".lease return 1 } do_dhclient ret=$? # setup nameserver for s in "$dns1" "$dns2" $(getargs nameserver); do [ -n "$s" ] || continue echo nameserver "$s" >> /tmp/net."$netif".resolv.conf done if [ $ret -eq 0 ]; then : > /tmp/net."${netif}".up if [ -z "$do_vlan" ] && [ -e /sys/class/net/"${netif}"/address ]; then : > "/tmp/net.$(cat /sys/class/net/"${netif}"/address).up" fi # Check if DHCP also succeeded on another interface before this one. # We will always use the first one on which DHCP succeeded, by using # a common file $IFNETFILE, to synchronize between threads. -- # Also, the link points to the interface name, which will tell us which # interface succeeded. if ln -s "$netif" "$IFNETFILE" 2> /dev/null; then intf=$(readlink "$IFNETFILE") if [ -e /tmp/dhclient."$intf".lease ]; then info "DHCP successful on interface $intf" # Kill all existing dhclient calls for other interfaces, since we # already got one successful interface read -r npid < /tmp/dhclient."$netif".pid pidlist=$(pgrep dhclient) for pid in $pidlist; do [ "$pid" -eq "$npid" ] && continue kill -9 "$pid" > /dev/null 2>&1 done else echo "ERROR! $IFNETFILE exists but /tmp/dhclient.$intf.lease does not exist!!!" fi else info "DHCP success on $netif, and also on $intf" exit 0 fi Found error in /usr/lib/dracut/modules.d/35network-legacy/dhclient-script.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35network-legacy/dhclient-script.sh [ -n "$new_max_life" ] && lease_time=$new_max_life preferred_lft=$lease_time [ -n "$new_preferred_life" ] && preferred_lft=$new_preferred_life # shellcheck disable=SC1090 [ -f /tmp/net."$netif".override ] && . /tmp/net."$netif".override # Taken from debian dhclient-script: # The 576 MTU is only used for X.25 and dialup connections # where the admin wants low latency. Such a low MTU can cause # problems with UDP traffic, among other things. As such, -- ${preferred_lft:+preferred_lft ${preferred_lft}} if [ -n "$gw" ]; then if [ "$mask" = "255.255.255.255" ]; then # point-to-point connection => set explicit route to gateway echo ip route add "$gw" dev "$netif" > /tmp/net."$netif".gw fi echo "$gw" | { IFS=' ' read -r main_gw other_gw echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw if [ -n "$other_gw" ]; then for g in $other_gw; do echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw done fi } fi if getargbool 1 rd.peerdns; then [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net."$netif".resolv.conf if [ -n "$namesrv" ]; then for s in $namesrv; do echo nameserver "$s" done fi >> /tmp/net."$netif".resolv.conf fi # Note: hostname can be fqdn OR short hostname, so chop off any # trailing domain name and explicitly add any domain if set. [ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname } setup_interface6() { domain=$new_domain_name # get rid of control chars -- [ -n "$new_max_life" ] && lease_time=$new_max_life preferred_lft=$lease_time [ -n "$new_preferred_life" ] && preferred_lft=$new_preferred_life # shellcheck disable=SC1090 [ -f /tmp/net."$netif".override ] && . /tmp/net."$netif".override ip -6 addr add "${new_ip6_address}"/"${new_ip6_prefixlen}" \ dev "${netif}" scope global \ ${lease_time:+valid_lft $lease_time} \ ${preferred_lft:+preferred_lft ${preferred_lft}} if getargbool 1 rd.peerdns; then [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net."$netif".resolv.conf if [ -n "$namesrv" ]; then for s in $namesrv; do echo nameserver "$s" done fi >> /tmp/net."$netif".resolv.conf fi # Note: hostname can be fqdn OR short hostname, so chop off any # trailing domain name and explicitly add any domain if set. [ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname } parse_option_121() { while [ $# -ne 0 ]; do mask="$1" -- unset layer2 setup_interface set | while read -r line || [ -n "$line" ]; do [ "${line#new_}" = "$line" ] && continue echo "$line" done > /tmp/dhclient."$netif".dhcpopts { echo '. /lib/net-lib.sh' echo "setup_net $netif" if [ -n "$new_classless_static_routes" ]; then -- IFS=".$IFS" parse_option_121 "$new_classless_static_routes" IFS="$OLDIFS" fi echo "source_hook initqueue/online $netif" [ -e /tmp/net."$netif".manualup ] || echo "/sbin/netroot $netif" echo "rm -f -- $hookdir/initqueue/setup_net_$netif.sh" } > "$hookdir"/initqueue/setup_net_"$netif".sh echo "[ -f /tmp/net.$netif.did-setup ]" > "$hookdir"/initqueue/finished/dhclient-"$netif".sh : > /tmp/net."$netif".up if [ -e /sys/class/net/"${netif}"/address ]; then : > "/tmp/net.$(cat /sys/class/net/"${netif}"/address).up" fi ;; RENEW | REBIND) -- setup_interface6 set | while read -r line || [ -n "$line" ]; do [ "${line#new_}" = "$line" ] && continue echo "$line" done > /tmp/dhclient."$netif".dhcpopts { echo '. /lib/net-lib.sh' echo "setup_net $netif" echo "source_hook initqueue/online $netif" [ -e /tmp/net."$netif".manualup ] || echo "/sbin/netroot $netif" echo "rm -f -- $hookdir/initqueue/setup_net_$netif.sh" } > "$hookdir"/initqueue/setup_net_"$netif".sh echo "[ -f /tmp/net.$netif.did-setup ]" > "$hookdir"/initqueue/finished/dhclient-"$netif".sh : > /tmp/net."$netif".up if [ -e /sys/class/net/"${netif}"/address ]; then : > "/tmp/net.$(cat /sys/class/net/"${netif}"/address).up" fi ;; RENEW6 | REBIND6) unset lease_time Found error in /usr/lib/dracut/modules.d/35connman/cm-run.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35connman/cm-run.sh #!/bin/bash type source_hook > /dev/null 2>&1 || . /lib/dracut-lib.sh if [ -e /tmp/cm.done ]; then return fi while read -r _serv; do ifname=$(connmanctl services "$_serv" | grep Interface= | sed 's/^.*Interface=$[^,]*$.*$/\1/') source_hook initqueue/online "$ifname" /sbin/netroot "$ifname" done < <(connmanctl services | grep -oE '[^ ]+$') : > /tmp/cm.done Found error in /usr/lib/dracut/modules.d/01systemd-networkd/networkd-run.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/01systemd-networkd/networkd-run.sh for ifpath in /sys/class/net/*; do ifname="${ifpath##*/}" # shellcheck disable=SC2015 [ "$ifname" != "lo" ] && [ -e "$ifpath" ] && [ ! -e /tmp/networkd."$ifname".done ] || continue if /usr/lib/systemd/systemd-networkd-wait-online --timeout=0.000001 --interface="$ifname" 2> /dev/null; then leases_file="/run/systemd/netif/leases/$(cat "$ifpath"/ifindex)" dhcpopts_file="/tmp/dhclient.${ifname}.dhcpopts" if [ -r "$leases_file" ]; then grep -E "^(NEXT_SERVER|ROOT_PATH)=" "$leases_file" \ | sed -e "s/NEXT_SERVER=/new_next_server='/" \ -e "s/ROOT_PATH=/new_root_path='/" \ -e "s/$/'/" > "$dhcpopts_file" || true fi source_hook initqueue/online "$ifname" /sbin/netroot "$ifname" : > /tmp/networkd."$ifname".done fi done; fail dracut-network-manager-105-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/dracut/modules.d/35network-manager/nm-run.sh: $ grep -A5 -B5 /tmp/ /usr/lib/dracut/modules.d/35network-manager/nm-run.sh for _i in /sys/class/net/*; do [ -d "$_i" ] || continue state="/run/NetworkManager/devices/$(cat "$_i"/ifindex)" grep -q '^connection-uuid=' "$state" 2> /dev/null || continue ifname="${_i##*/}" dhcpopts_create "$state" > /tmp/dhclient."$ifname".dhcpopts source_hook initqueue/online "$ifname" /sbin/netroot "$ifname" done : > /tmp/nm.done; fail emacspeak-58.0-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/emacs/site-lisp/emacspeak/servers/log-espeak: $ grep -A5 -B5 /tmp/ /usr/share/emacs/site-lisp/emacspeak/servers/log-espeak #!/bin/sh LOG=/tmp/espeak-$$.log tee -a $LOG | `dirname $0`/espeak 2>&1 | tee /tmp/espeak-out-$$.log; fail environment-modules-5.3.1-alt1_2.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/Modules/bin/add.modules: $ grep -A5 -B5 /tmp/ /usr/share/Modules/bin/add.modules "$3" > "$2" } # find if certain of the dot files have load lines already findload() { grep "^[ ]*module[ ]*load" "$1" > /tmp/load.$$ } # put common stuff derivatives here $1=.dot_file $2=action $3=shell(csh,sh) $4=skel alternative shdot() { if [ -f "$1" ] then /bin/cat <> "$1" else /bin/cat >> "$1" < "$1" <> "$1" else /bin/cat >> "$1" <> "$1" <> "$1" && /bin/rm "/tmp/$1.$$" elif [ "$2" = 'alias' ] then /bin/cat <> "$1" && /bin/rm "/tmp/$1.$$" fi else /bin/echo "Had problems with your $1" fi else /bin/cat < /dev/null } # process files in $HOME cd "$HOME" || exit 1 if [ -r .bash_profile ]; then; fail foo2zjs-20200207-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/foo2hbpl2-wrapper: $ grep -A5 -B5 /tmp/ /usr/bin/foo2hbpl2-wrapper #%%BeginFeature: *CustomPageSize True #792.000000 612.000000 1 0.000000 0.000000 #pop pop pop pop pop if [ $DEBUG = 0 ]; then TMPFILE=/tmp/cus$$ else TMPFILE=/tmp/custom.ps fi cat >$TMPFILE exec <$TMPFILE tmp=`head -n 10000 $TMPFILE \ -- case $NUP in [234689]|1[024568]) PREFILTER="nup";; *) PREFILTER=cat;; esac if [ "$DEBUG" -ge 9 ]; then PREFILTER="tee /tmp/$BASENAME.ps" fi # # Overload -G. If the file name ends with ".icm" or ".ICM" # then convert the ICC color profile to a Postscript CRD, -- GAMMAFILE= fi } if [ $DEBUG -gt 0 ]; then ICCTMP=/tmp/icc else ICCTMP=/tmp/icc$$ fi if [ "" = "$COLOR" ]; then COLORMODE= GAMMAFILE= -- # CRD GAMMAFILE="" GAMMAFILE="$GAMMAFILE $CRDBASE/${model}cms" GAMMAFILE="$GAMMAFILE $CRDBASE/$SCREEN" # Black text... TMPFILE2=/tmp/black$$ cat $CRDBASE/black-text.ps - >$TMPFILE2 exec <$TMPFILE2 ;; *.crd) GAMMAFILE="$CRDBASE/prolog.ps" Found error in /usr/bin/foo2ddst-wrapper: $ grep -A5 -B5 /tmp/ /usr/bin/foo2ddst-wrapper #%%BeginFeature: *CustomPageSize True #792.000000 612.000000 1 0.000000 0.000000 #pop pop pop pop pop if [ $DEBUG = 0 ]; then TMPFILE=/tmp/cus$$ else TMPFILE=/tmp/custom.ps fi cat >$TMPFILE exec <$TMPFILE tmp=`head -n 10000 $TMPFILE \ -- case $NUP in [234689]|1[024568]) PREFILTER="nup";; *) PREFILTER=cat;; esac if [ "$DEBUG" -ge 9 ]; then PREFILTER="tee /tmp/$BASENAME.ps" fi # # Overload -G. If the file name ends with ".icm" or ".ICM" # then convert the ICC color profile to a Postscript CRD, -- GAMMAFILE= fi } if [ $DEBUG -gt 0 ]; then ICCTMP=/tmp/icc else ICCTMP=/tmp/icc$$ fi if [ "" = "$COLOR" ]; then COLORMODE= GAMMAFILE=; fail foreman-3.13.0-alt2.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/foreman/test/unit/foreman/renderer/snapshots/ProvisioningTemplate/user_data/Kickstart_default_user_data.host4dhcp.snap.txt: $ grep -A5 -B5 /tmp/ /usr/lib/foreman/test/unit/foreman/renderer/snapshots/ProvisioningTemplate/user_data/Kickstart_default_user_data.host4dhcp.snap.txt echo "Performing initial puppet run for --tags no_such_tag" /usr/bin/puppet agent --config /etc/puppet/puppet.conf --onetime --tags no_such_tag --no-daemonize cat << EOF-d592f4ed > /tmp/ansible_provisioning_call.sh #!/bin/sh echo "Calling Ansible AWX/Tower provisioning callback..." /usr/bin/curl -v -k -s --data "host_config_key=" https:///api/v2/job_templates//callback/ echo "DONE" EOF-d592f4ed /bin/sh /tmp/ansible_provisioning_call.sh # UserData still needs to mark the build as finished if [ -x /usr/bin/curl ]; then /usr/bin/curl -o /dev/null -H 'Content-Type: text/plain' --noproxy \* --silent 'http://foreman.example.com/unattended/built' elif [ -x /usr/bin/wget ]; then; fail geeqie-2.5-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib64/geeqie/geeqie-camera-import-hook-script: $ grep -A5 -B5 /tmp/ /usr/lib64/geeqie/geeqie-camera-import-hook-script ## # shellcheck disable=2154 if [ "$ACTION" = "download" ] then printf '%s\n' "$ARGUMENT" >> /tmp/geeqie-camera-import-files elif [ "$ACTION" = "stop" ] then zenity --info --title="Geeqie camera download" --text="Import ended" --width=200 --timeout=5 --window-icon=usr/local/share/pixmaps/geeqie.png 2>/dev/null if [ -f /tmp/geeqie-camera-import-files ] then rm /tmp/geeqie-camera-import-files fi fi exit 0 Found error in /usr/lib64/geeqie/geeqie-camera-import: $ grep -A5 -B5 /tmp/ /usr/lib64/geeqie/geeqie-camera-import ## ## Requires gphoto2 ## finish() { if [ -f /tmp/geeqie-camera-import-files ] then rm /tmp/geeqie-camera-import-files fi if [ -p "$zen_pipe" ] then rm "$zen_pipe" -- then zenity --title="Geeqie camera import" --info --width=200 --text="gphoto2 is not installed" 2> /dev/null exit 0 fi if [ -f /tmp/geeqie-camera-import.log ] then rm /tmp/geeqie-camera-import.log fi if [ "$(gphoto2 --auto-detect | wc -l)" -le 2 ] then zenity --error --title="Geeqie camera import" --text="No camera detected" --window-icon=/usr/local/share/pixmaps/geeqie.png --width=250 2> /dev/null -- src_files_sorted=$(mktemp "${TMPDIR:-/tmp}/geeqie.XXXXXXXXXX") dest_files_sorted=$(mktemp "${TMPDIR:-/tmp}/geeqie.XXXXXXXXXX") ( gphoto2 --port "$port" --list-files 2> /tmp/geeqie-camera-import.log | awk -W posix 'BEGIN {LINT = "fatal"} /#/ {print $2}' | sort > "$src_files_sorted" ) | zenity --progress --auto-close --auto-kill --title="Geeqie camera import" --text="Searching for files to download..." --pulsate --window-icon=/usr/local/share/pixmaps/geeqie.png --width=250 error=$(grep -i error /tmp/geeqie-camera-import.log) if [ -n "$error" ] then zenity --text-info --title="Geeqie camera import" - --window-icon=error --width=250 < /tmp/geeqie-camera-import.log 2> /dev/null exit 1 fi find . -maxdepth 1 -type f -exec basename {} \; | sort > "$dest_files_sorted" existing_file_count=$(comm -12 "$src_files_sorted" "$dest_files_sorted" | wc -l) -- then zenity --info --title="Geeqie camera download" --text="No photos to download" --width=250 --window-icon=usr/local/share/pixmaps/geeqie.png 2> /dev/null exit 0 fi if [ -f /tmp/geeqie-camera-import-files ] then rm /tmp/geeqie-camera-import-files fi touch /tmp/geeqie-camera-import-files zen_pipe=$(mktemp -u "${TMPDIR:-/tmp}/geeqie.XXXXXXXXXX") mkfifo "$zen_pipe" gphoto2 --port "$port" --hook-script "$script_dir/"geeqie-camera-import-hook-script --get-all-files --skip-existing 2> /tmp/geeqie-camera-import.log & gphoto2_pid=$! (tail -f "$zen_pipe" 2> /dev/null) | zenity --progress --title="Geeqie camera import" --width=370 --text="Downloading: total: $files_to_load existing: $existing_file_count\n" --auto-close --auto-kill --percentage=0 window-icon=/usr/local/share/pixmaps/geeqie.png 2> /dev/null & zen_pid=$! n=0 while [ -f /tmp/geeqie-camera-import-files ] && [ "$n" -lt 100 ] do i=$(wc -l < "/tmp/geeqie-camera-import-files") n=$(($((i usr 100)) / files_to_load)) printf '%s\n' "$n" > "$zen_pipe" latest_file=$(tail -n 1 /tmp/geeqie-camera-import-files) if [ -z "$latest_file" ] then latest_file="Skipping existing files, if any..." fi printf '#Downloading: total: %s existing: %s\n%s' "$files_to_load existing" "$existing_file_count" "$latest_file" > "$zen_pipe"; fail gem-aliyun-sdk-0.8.0-alt1.1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ruby/gemie/gems/aliyun-sdk-0.8.0/examples/aliyun/oss/resumable_download.rb: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/aliyun-sdk-0.8.0/examples/aliyun/oss/resumable_download.rb puts end demo "Resumable download" do # 下载一个100M的文件 cpt_file = '/tmp/y.cpt' File.delete(cpt_file) if File.exist?(cpt_file) start = Time.now puts "Start download: resumable => /tmp/y" bucket.resumable_download( 'resumable', '/tmp/y', :cpt_file => cpt_file) do |progress| puts "Progress: #{(progress usr 100).round(2)} %" end puts "Download complete. Cost: #{Time.now - start} seconds." # 测试方法： Found error in /usr/lib/ruby/gemie/gems/aliyun-sdk-0.8.0/examples/aliyun/oss/object.rb: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/aliyun-sdk-0.8.0/examples/aliyun/oss/object.rb end # 上传一个文件 # 断点续传请参考：examples/resumable_upload.rb demo "Put object from local file" do File.open('/tmp/x', 'w'){ |f| f.write("hello world\n") } bucket.put_object('files/world', :file => '/tmp/x') puts "Put object: files/world" end # 创建一个Appendable object demo "Create appendable object" do -- puts "Total size: #{total_size}" end # 下载一个object：下载到文件中 demo "Get object to local file" do bucket.get_object('files/hello', :file => '/tmp/hello') puts "Get object: files/hello => /tmp/hello" end # 删除一个object demo "Delete object" do bucket.delete_object('files/world') -- :metas => {'year' => '2015', 'people' => 'mary'} ) do |content| content << 'hello world.' end o = bucket.get_object('files/hello', :file => '/tmp/x') puts "Object metas: #{o.metas}" end # 修改Object metas demo "Update object metas" do; fail gem-foreman-chef-0.10.0.1-alt0.3.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ruby/gemie/gems/foreman_chef-0.10.0.1/app/views/foreman/unattended/snippets/_chef_client_bootstrap.erb: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/foreman_chef-0.10.0.1/app/views/foreman/unattended/snippets/_chef_client_bootstrap.erb foreman_reports_upload true foreman_enc true EOF # You may set here the default run list for all your nodes cat << 'EOF' > /tmp/base.json <%= @host.run_list.to_chef_json %> EOF #first run of chef-client echo "First run of chef-client" <% chef_args = "-j /tmp/base.json -E #{@host.chef_environment.nil? ? '_default' : @host.chef_environment.name }" -%> /usr/local/bin/chef-client <%= chef_args %> || /usr/bin/chef-client <%= chef_args %> echo "Finished, cleaning" rm -f /tmp/base.json <% if validation_bootstrap_method? -%> # you can comment this line to keep validaton.pem (e.g. for debugging purposes) rm -f /etc/chef/validation.pem <% end -%>; fail gem-foreman-hooks-0.3.17-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ruby/gemie/gems/foreman_hooks-0.3.17/examples/bash/log.sh: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/foreman_hooks-0.3.17/examples/bash/log.sh # Example of using hook_data to query the JSON representation of the object # passed by foreman_hooks. `cat $HOOK_OBJECT_FILE` to see the contents. hostname=$(hook_data host.name) echo "$(date): received ${event} on ${object}" >> /tmp/hook.log # exit code is important on orchestration tasks exit 0; fail gem-puppet-8.4.0-alt2.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ruby/gemie/gems/puppet-8.4.0/lib/puppet/application/filebucket.rb: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/puppet-8.4.0/lib/puppet/application/filebucket.rb EXAMPLES -------- ## Backup a file to the filebucket, then restore it to a temporary directory $ puppet filebucket backup /etc/passwd /etc/passwd: 429b225650b912a2ee067b0a4cf1e949 $ puppet filebucket restore /tmp/passwd 429b225650b912a2ee067b0a4cf1e949 ## Diff between two files in the filebucket $ puppet filebucket -l diff d43a6ecaa892a1962398ac9170ea9bf2 7ae322f5791217e031dc60188f4521ef 1a2 > again ## Diff between the file in the filebucket and a local file $ puppet filebucket -l diff d43a6ecaa892a1962398ac9170ea9bf2 /tmp/testFile 1a2 > again ## Backup a file to the filebucket and observe that it keeps each backup separate $ puppet filebucket -l list d43a6ecaa892a1962398ac9170ea9bf2 2015-05-11 09:27:56 /tmp/TestFile $ echo again >> /tmp/TestFile $ puppet filebucket -l backup /tmp/TestFile /tmp/TestFile: 7ae322f5791217e031dc60188f4521ef $ puppet filebucket -l list d43a6ecaa892a1962398ac9170ea9bf2 2015-05-11 09:27:56 /tmp/TestFile 7ae322f5791217e031dc60188f4521ef 2015-05-11 09:52:15 /tmp/TestFile ## List files in a filebucket within date ranges $ puppet filebucket -l -f 2015-01-01 -t 2015-01-11 list $ puppet filebucket -l -f 2015-05-10 list d43a6ecaa892a1962398ac9170ea9bf2 2015-05-11 09:27:56 /tmp/TestFile 7ae322f5791217e031dc60188f4521ef 2015-05-11 09:52:15 /tmp/TestFile $ puppet filebucket -l -f "2015-05-11 09:30:00" list 7ae322f5791217e031dc60188f4521ef 2015-05-11 09:52:15 /tmp/TestFile $ puppet filebucket -l -t "2015-05-11 09:30:00" list d43a6ecaa892a1962398ac9170ea9bf2 2015-05-11 09:27:56 /tmp/TestFile ## Manage files in a specific local filebucket $ puppet filebucket -b /tmp/TestBucket backup /tmp/TestFile2 /tmp/TestFile2: d41d8cd98f00b204e9800998ecf8427e $ puppet filebucket -b /tmp/TestBucket list d41d8cd98f00b204e9800998ecf8427e 2015-05-11 09:33:22 /tmp/TestFile2 ## From a Puppet Server, list files in the server bucketdir $ puppet filebucket -b $(puppet config print bucketdir --section server) list d43a6ecaa892a1962398ac9170ea9bf2 2015-05-11 09:27:56 /tmp/TestFile 7ae322f5791217e031dc60188f4521ef 2015-05-11 09:52:15 /tmp/TestFile AUTHOR ------ Luke Kanies Found error in /usr/lib/ruby/gemie/gems/puppet-8.4.0/lib/puppet/application/doc.rb: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/puppet-8.4.0/lib/puppet/application/doc.rb 'puppet doc --list'. EXAMPLE ------- $ puppet doc -r type > /tmp/type_reference.markdown AUTHOR ------ Luke Kanies; fail gem-ruby-libvirt-0.8.0-alt1.1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ruby/gemie/gems/ruby-libvirt-0.8.0/tests/test_storage.rb: $ grep -A5 -B5 /tmp/ /usr/lib/ruby/gemie/gems/ruby-libvirt-0.8.0/tests/test_storage.rb test.img 0 1 /tmp/rb-libvirt-test/test.img EOF new_storage_vol_xml_2 = < test2.img 0 5 /tmp/rb-libvirt-test/test2.img EOF # TESTGROUP: vol.pool -- expect_too_many_args(newpool, "delete", 1, 2) expect_invalid_arg_type(newpool, "delete", 'foo') expect_success(newpool, "no args", "delete") `mkdir -p /tmp/rb-libvirt-test` newpool.undefine `mkdir -p #{$POOL_PATH}` # TESTGROUP: pool.refresh; fail gnormalize-0.63-alt1.qa1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/gnormalize: $ grep -A5 -B5 /tmp/ /usr/bin/gnormalize if ($show_cdplayer_skin and defined $window_cd_player){ # with skin_xTunes $widget->set_size_request (225, 90); # set a minimum size: (width,height) ; skin_xTunes #(pixmap, mask) = Gtk2::Gdk::Pixmap->create_from_xpm ($drawable, $transparent_color, $filename) #($pixmap, $pixmap_mask) = Gtk2::Gdk::Pixmap->create_from_xpm ($widget->window, undef, '/tmp/skin_xTunes.xpm'); ($pixmap, $pixmap_mask) = Gtk2::Gdk::Pixmap->create_from_xpm_d($widget->window, undef, @skin_xTunes); #my $pixmap_widget = Gtk2::Image->new_from_pixmap ($gdkpixmap, $mask); $window_cd_player->shape_combine_mask( $pixmap_mask, 0, 0 ) if not $window_cd_player->get_decorated; -- ###----------- add files to treeview --------------### sub sort_full_path_names{ my @array = @_; # For example: # $array[0] = '/tmp/teste/teste4/mus.mp3' # $array[1] = '/tmp/teste/teste2/teste4/mus.mp3' # $array[2] = '/tmp/mus.mp3' # First, sort this array in ascending order by number of '/' character. # Then, sort in case-insensitively mode. # sort case-insensitively : @articles = sort {uc($a) cmp uc($b)} @files; (see man perlfunc) # multiple comparisons in the routine and separate them with ||. # See Perl Cookbook, 2nd Edition. Chap. 4.16; 10.18 for help; #my $teste = '/tmp/teste/teste2/teste4/mus.mp3'; $teste =~ s/[^\/]//g; print "teste = $teste\n"; # output: teste = ///// # first compare the number of directory character '/'. sub compare_dir { (my $temp1 = $a) =~ s/[^\/]//g; # remove all character but '/' (my $temp2 = $b) =~ s/[^\/]//g; -- #This file 100% done All files 99% done # WaveGain Processing completed normally # No Title Gain adjustment or DC Offset correction required for file: # Error renaming '/tmp/wavegain.tmp' to '04.wav' (uh-oh) # Error processing GAIN for file - 04.wav #print "--> $_\n"; if ( $_ =~ /^\s+Applying Gain of ([-+]\d+[.,]\d+) dB to file:/ ){ $adjust = $1; } -- # leave room for WAV header (44 bytes) #seek WAV, 44, 0; #print "cdrom_rip = $cdrom_rip; value = $$addr[0]; addr = $addr; startframe = $startframe\n"; open WAV, ">/tmp/track${track}.wav" or die $!; binmode WAV; #print WAV $cdrom_rip; for (my $i=0;$i<2352;$i++){ print WAV $buf[$i]; } #syswrite(WAV, $buffer, 2352 );; fail hunspell-utils-1.7.2-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/wordforms: $ grep -A5 -B5 /tmp/ /usr/bin/wordforms fx=0 case $1 in -s) fx=1; shift;; -p) fx=2; shift;; esac test -h /tmp/wordforms.aff && rm /tmp/wordforms.aff ln -s "$PWD/$1" /tmp/wordforms.aff # prepared dic only with the query word echo 1 >/tmp/wordforms.dic grep "^$3/" $2 >>/tmp/wordforms.dic echo $3 | awk -v "fx=$fx" ' fx!=2 && FILENAME!="-" && /^SFX/ && NF > 4{split($4,a,"/");clen=($3=="0") ? 0 : length($3);sfx[a[1],clen]=a[1];sfxc[a[1],clen]=clen;next} fx!=1 && FILENAME!="-" && /^PFX/ && NF > 4{split($4,a,"/");clen=($3=="0") ? 0 : length($3);pfx[a[1],clen]=a[1];pfxc[a[1],clen]=clen;next} FILENAME=="-"{ wlen=length($1) -- for (j in pfx) {if (wlen<=pfxc[j]) continue; for(i in sfx){clen=sfxc[i];if (wlen<=clen || wlen <= (clen + pfxc[j]))continue; print (pfx[j]=="0" ? "" : pfx[j]) substr($1, pfxc[j]+1, wlen-clen-pfxc[j]) (sfx[i]=="0" ? "": sfx[i]) }} } } ' /tmp/wordforms.aff - | hunspell -d /tmp/wordforms -G -l; fail imapsync-2.229-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/imapsync: $ grep -A5 -B5 /tmp/ /usr/bin/imapsync How do you know the sync is finished and well done? When imapsync ends by itself it mentions it with lines like those: Exiting with return value 0 (EX_OK: successful termination) 0/50 nb_errors/max_errors PID 301 Removing pidfile /tmp/imapsync.pid Log file is LOG_imapsync/2020_11_17_15_59_22_761_test1_test2.txt ( to change it, use --logfile filepath ; or use --nolog to turn off logging ) If you don't have those lines it means that either the sync process is still running (or eventually hanging indefinitely) or that it ended without a whisper, a strong kill -9 on Linux for example. -- Readonly my $TRUE => 1 ; Readonly my $FALSE => 0 ; Readonly my $LAST_RESSORT_SEPARATOR => q{/} ; Readonly my $CGI_TMPDIR_TOP => '/var/tmp/imapsync_cgi' ; Readonly my $CGI_HASHFILE => '/var/tmp/imapsync_hash' ; Readonly my $UMASK_PARANO => '0077' ; Readonly my $STR_use_releasecheck => q{Check if a new imapsync release is available by adding --releasecheck} ; Readonly my $GMAIL_MAXSIZE => 35_651_584 ; -- output( $mysync, "No log by default in Docker context. Use --log to trigger logging to the logfile.\n" ) ; $mysync->{ log } = 0 ; } # In case something is written relatively to . my $tmp_dir = "/var/tmp/uid_$EFFECTIVE_USER_ID" ; mkpath( $tmp_dir ) ; # silly? No. it is for imapsync --version being ok. do_valid_directory( $tmp_dir ) ; output( $mysync, "Changing current directory to $tmp_dir\n" ) ; chdir $tmp_dir ; -- is( undef, loglogfile( $mysync ), 'loglogfile: undef => undef' ) ; $mysync->{ loglogfile } = 1 ; $mysync->{ log } = 1 ; is( undef, loglogfile( $mysync ), 'loglogfile: no logfile => undef' ) ; $mysync->{ logfile } = "logfile.txt" ; $mysync->{ loglogfilename } = "W/tmp/tests/list_all_logs_auto.txt" ; like( loglogfile( $mysync ), qr{logfile.txt}xms, 'loglogfile: logfile=logfile.txt => ' ) ; note( 'Leaving tests_loglogfile()' ) ; return ; } -- SKIP: { if ( 'MSWin32' eq $OSNAME or '0' eq $EFFECTIVE_USER_ID ) { skip( 'Tests only for non-root Unix', 1 ) ; } $mysync->{ hashfile } = '/rrr' ; is( undef, hashsynclocal( $mysync ), 'hashsynclocal: permission denied' ) ; } ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'hashsynclocal: mkpath W/tmp/tests/' ) ; $mysync->{ hashfile } = 'W/tmp/tests/imapsync_hash' ; ok( ! -e 'W/tmp/tests/imapsync_hash' || unlink 'W/tmp/tests/imapsync_hash', 'hashsynclocal: unlink W/tmp/tests/imapsync_hash' ) ; ok( ! -e 'W/tmp/tests/imapsync_hash', 'hashsynclocal: verify there is no W/tmp/tests/imapsync_hash' ) ; is( 'ecdeb4ede672794d173da4e08c52b8ee19b7d252', hashsynclocal( $mysync, 'mukksyhpmbixkxkpjlqivmlqsulpictj' ), 'hashsynclocal: creating/reading W/tmp/tests/imapsync_hash' ) ; # A second time now is( 'ecdeb4ede672794d173da4e08c52b8ee19b7d252', hashsynclocal( $mysync ), 'hashsynclocal: reading W/tmp/tests/imapsync_hash second time => same' ) ; note( 'Leaving tests_hashsynclocal()' ) ; return ; } -- sub tests_do_valid_directory { note( 'Entering tests_do_valid_directory()' ) ; is( 1, do_valid_directory( '.'), 'do_valid_directory: . good' ) ; is( 1, do_valid_directory( './W/tmp/tests/valid/sub'), 'do_valid_directory: ./W/tmp/tests/valid/sub good' ) ; Readonly my $NB_UNIX_tests_do_valid_directory_non_root => 2 ; diag( "OSNAME=$OSNAME EFFECTIVE_USER_ID=$EFFECTIVE_USER_ID" ) ; SKIP: { -- sub tests_remove_pidfile_not_running { note( 'Entering tests_remove_pidfile_not_running()' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'remove_pidfile_not_running: mkpath W/tmp/tests/' ) ; is( undef, remove_pidfile_not_running( ), 'remove_pidfile_not_running: no args => undef' ) ; is( undef, remove_pidfile_not_running( './W' ), 'remove_pidfile_not_running: a dir => undef' ) ; is( undef, remove_pidfile_not_running( 'noexists' ), 'remove_pidfile_not_running: noexists => undef' ) ; is( 1, touch( 'W/tmp/tests/empty.pid' ), 'remove_pidfile_not_running: prepa empty W/tmp/tests/empty.pid' ) ; is( undef, remove_pidfile_not_running( 'W/tmp/tests/empty.pid' ), 'remove_pidfile_not_running: W/tmp/tests/empty.pid => undef' ) ; is( 'lalala', string_to_file( 'lalala', 'W/tmp/tests/lalala.pid' ), 'remove_pidfile_not_running: prepa W/tmp/tests/lalala.pid' ) ; is( undef, remove_pidfile_not_running( 'W/tmp/tests/lalala.pid' ), 'remove_pidfile_not_running: W/tmp/tests/lalala.pid => undef' ) ; is( '55555', string_to_file( '55555', 'W/tmp/tests/notrunning.pid' ), 'remove_pidfile_not_running: prepa W/tmp/tests/notrunning.pid' ) ; is( 1, remove_pidfile_not_running( 'W/tmp/tests/notrunning.pid' ), 'remove_pidfile_not_running: W/tmp/tests/notrunning.pid => 1' ) ; is( $PROCESS_ID, string_to_file( $PROCESS_ID, 'W/tmp/tests/running.pid' ), 'remove_pidfile_not_running: prepa W/tmp/tests/running.pid' ) ; is( undef, remove_pidfile_not_running( 'W/tmp/tests/running.pid' ), 'remove_pidfile_not_running: W/tmp/tests/running.pid => undef' ) ; note( 'Leaving tests_remove_pidfile_not_running()' ) ; return ; } -- sub tests_tail { note( 'Entering tests_tail()' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'tail: mkpath W/tmp/tests/' ) ; ok( ( ! -e 'W/tmp/tests/tail.pid' || unlink 'W/tmp/tests/tail.pid' ), 'tail: unlink W/tmp/tests/tail.pid' ) ; ok( ( ! -e 'W/tmp/tests/tail.txt' || unlink 'W/tmp/tests/tail.txt' ), 'tail: unlink W/tmp/tests/tail.txt' ) ; is( undef, tail( ), 'tail: no args => undef' ) ; my $mysync ; is( undef, tail( $mysync ), 'tail: no pidfile => undef' ) ; $mysync->{pidfile} = 'W/tmp/tests/tail.pid' ; is( undef, tail( $mysync ), 'tail: no pidfilelocking => undef' ) ; $mysync->{pidfilelocking} = 1 ; is( undef, tail( $mysync ), 'tail: pidfile no exists => undef' ) ; my $pidandlog = "33333\nW/tmp/tests/tail.txt\n" ; is( $pidandlog, string_to_file( $pidandlog, $mysync->{pidfile} ), 'tail: put pid 33333 and tail.txt in pidfile' ) ; is( undef, tail( $mysync ), 'tail: logfile to tail no exists => undef' ) ; my $tailcontent = "L1\nL2\nL3\nL4\nL5\n" ; is( $tailcontent, string_to_file( $tailcontent, 'W/tmp/tests/tail.txt' ), 'tail: put L1\nL2\nL3\nL4\nL5\n in W/tmp/tests/tail.txt' ) ; is( undef, tail( $mysync ), 'tail: fake pid in pidfile + tail off => 1' ) ; $mysync->{ tail } = 1 ; is( 1, tail( $mysync ), 'tail: fake pid in pidfile + tail on=> 1' ) ; # put my own pid, won't do tail $pidandlog = "$PROCESS_ID\nW/tmp/tests/tail.txt\n" ; is( $pidandlog, string_to_file( $pidandlog, $mysync->{pidfile} ), 'tail: put my own PID in pidfile' ) ; is( undef, tail( $mysync ), 'tail: my own pid in pidfile => undef' ) ; note( 'Leaving tests_tail()' ) ; return ; -- is( undef, write_pidfile( $mysync ), 'write_pidfile: no permission for /no/no/no.pid, no lock => undef' ) ; $mysync->{pidfilelocking} = 1 ; is( undef, write_pidfile( $mysync ), 'write_pidfile: no permission for /no/no/no.pid + lock => undef' ) ; $mysync->{pidfile} = 'W/tmp/tests/test.pid' ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'write_pidfile: mkpath W/tmp/tests/' ) ; is( 1, touch( $mysync->{pidfile} ), 'write_pidfile: lock prepa' ) ; $mysync->{pidfilelocking} = 0 ; is( 1, write_pidfile( $mysync ), 'write_pidfile: W/tmp/tests/test.pid + no lock => 1' ) ; is( $PROCESS_ID, firstline( 'W/tmp/tests/test.pid' ), "write_pidfile: W/tmp/tests/test.pid contains $PROCESS_ID" ) ; is( q{}, secondline( 'W/tmp/tests/test.pid' ), "write_pidfile: W/tmp/tests/test.pid contains no second line" ) ; $mysync->{pidfilelocking} = 1 ; is( undef, write_pidfile( $mysync ), 'write_pidfile: W/tmp/tests/test.pid + lock => undef' ) ; $mysync->{pidfilelocking} = 0 ; $mysync->{ logfile } = 'rrrr.txt' ; is( 1, write_pidfile( $mysync ), 'write_pidfile: W/tmp/tests/test.pid + no lock + logfile => 1' ) ; is( $PROCESS_ID, firstline( 'W/tmp/tests/test.pid' ), "write_pidfile: + no lock + logfile W/tmp/tests/test.pid contains $PROCESS_ID" ) ; is( q{rrrr.txt}, secondline( 'W/tmp/tests/test.pid' ), "write_pidfile: + no lock + logfile W/tmp/tests/test.pid contains rrrr.txt" ) ; note( 'Leaving tests_write_pidfile()' ) ; return ; } -- sub tests_get_cache { note( 'Entering tests_get_cache()' ) ; ok( not( get_cache('/cache_no_exist') ), 'get_cache: /cache_no_exist' ); ok( ( not -d 'W/tmp/cache/F1/F2' or rmtree( 'W/tmp/cache/F1/F2' ) ), 'get_cache: rmtree W/tmp/cache/F1/F2' ) ; ok( mkpath( 'W/tmp/cache/F1/F2' ), 'get_cache: mkpath W/tmp/cache/F1/F2' ) ; my @test_files_cache = ( qw( W/tmp/cache/F1/F2/100_200 W/tmp/cache/F1/F2/101_201 W/tmp/cache/F1/F2/120_220 W/tmp/cache/F1/F2/142_242 W/tmp/cache/F1/F2/143_243 W/tmp/cache/F1/F2/177_277 W/tmp/cache/F1/F2/177_377 W/tmp/cache/F1/F2/177_777 W/tmp/cache/F1/F2/155_255 ) ) ; ok( touch( @test_files_cache ), 'get_cache: touch W/tmp/cache/F1/F2/...' ) ; # on cache: 100_200 101_201 142_242 143_243 177_277 177_377 177_777 155_255 # on live: my $msgs_1 = [120, 142, 143, 144, 177 ]; -- my $msgs_all_1 = { 120 => 0, 142 => 0, 143 => 0, 144 => 0, 177 => 0 } ; my $msgs_all_2 = { 242 => 0, 243 => 0, 299 => 0, 377 => 0, 777 => 0, 255 => 0 } ; my( $c12, $c21 ) ; ok( ( $c12, $c21 ) = get_cache( 'W/tmp/cache/F1/F2', $msgs_1, $msgs_2, $msgs_all_1, $msgs_all_2 ), 'get_cache: 02' ); my $a1 = [ sort { $a <=> $b } keys %{ $c12 } ] ; my $a2 = [ sort { $a <=> $b } keys %{ $c21 } ] ; ok( 0 == compare_lists( [ 142, 143, 177 ], $a1 ), 'get_cache: 03' ); ok( 0 == compare_lists( [ 242, 243, 777 ], $a2 ), 'get_cache: 04' ); ok( -f 'W/tmp/cache/F1/F2/142_242', 'get_cache: file kept 142_242'); ok( -f 'W/tmp/cache/F1/F2/142_242', 'get_cache: file kept 143_243'); ok( ! -f 'W/tmp/cache/F1/F2/100_200', 'get_cache: file removed 100_200'); ok( ! -f 'W/tmp/cache/F1/F2/101_201', 'get_cache: file removed 101_201'); # test clean_cache executed $maxage = 2 ; ok( touch(@test_files_cache), 'get_cache: touch W/tmp/cache/F1/F2/...' ) ; ok( ( $c12, $c21 ) = get_cache('W/tmp/cache/F1/F2', $msgs_1, $msgs_2, $msgs_all_1, $msgs_all_2 ), 'get_cache: 02' ); ok( -f 'W/tmp/cache/F1/F2/142_242', 'get_cache: file kept 142_242'); ok( -f 'W/tmp/cache/F1/F2/142_242', 'get_cache: file kept 143_243'); ok( ! -f 'W/tmp/cache/F1/F2/100_200', 'get_cache: file NOT removed 100_200'); ok( ! -f 'W/tmp/cache/F1/F2/101_201', 'get_cache: file NOT removed 101_201'); # strange files #$debugcache = 1 ; $maxage = undef ; ok( ( not -d 'W/tmp/cache/rr\uee' or rmtree( 'W/tmp/cache/rr\uee' )), 'get_cache: rmtree W/tmp/cache/rr\uee' ) ; ok( mkpath( 'W/tmp/cache/rr\uee' ), 'get_cache: mkpath W/tmp/cache/rr\uee' ) ; @test_files_cache = ( qw( W/tmp/cache/rr\uee/100_200 W/tmp/cache/rr\uee/101_201 W/tmp/cache/rr\uee/120_220 W/tmp/cache/rr\uee/142_242 W/tmp/cache/rr\uee/143_243 W/tmp/cache/rr\uee/177_277 W/tmp/cache/rr\uee/177_377 W/tmp/cache/rr\uee/177_777 W/tmp/cache/rr\uee/155_255 ) ) ; ok( touch(@test_files_cache), 'get_cache: touch strange W/tmp/cache/...' ) ; # on cache: 100_200 101_201 142_242 143_243 177_277 177_377 177_777 155_255 # on live: $msgs_1 = [120, 142, 143, 144, 177 ] ; $msgs_2 = [ 242, 243, 299, 377, 777, 255 ] ; $msgs_all_1 = { 120 => q{}, 142 => q{}, 143 => q{}, 144 => q{}, 177 => q{} } ; $msgs_all_2 = { 242 => q{}, 243 => q{}, 299 => q{}, 377 => q{}, 777 => q{}, 255 => q{} } ; ok( ( $c12, $c21 ) = get_cache('W/tmp/cache/rr\uee', $msgs_1, $msgs_2, $msgs_all_1, $msgs_all_2), 'get_cache: strange path 02' ); $a1 = [ sort { $a <=> $b } keys %{ $c12 } ] ; $a2 = [ sort { $a <=> $b } keys %{ $c21 } ] ; ok( 0 == compare_lists( [ 142, 143, 177 ], $a1 ), 'get_cache: strange path 03' ); ok( 0 == compare_lists( [ 242, 243, 777 ], $a2 ), 'get_cache: strange path 04' ); ok( -f 'W/tmp/cache/rr\uee/142_242', 'get_cache: strange path file kept 142_242'); ok( -f 'W/tmp/cache/rr\uee/142_242', 'get_cache: strange path file kept 143_243'); ok( ! -f 'W/tmp/cache/rr\uee/100_200', 'get_cache: strange path file removed 100_200'); ok( ! -f 'W/tmp/cache/rr\uee/101_201', 'get_cache: strange path file removed 101_201'); note( 'Leaving tests_get_cache()' ) ; return ; } -- ok( ( $tuid1, $tuid2 ) = match_a_cache_file( '123_456' ), 'match_a_cache_file: 123_456' ) ; ok( '123' eq $tuid1, 'match_a_cache_file: 123_456 1' ) ; ok( '456' eq $tuid2, 'match_a_cache_file: 123_456 2' ) ; ok( ( $tuid1, $tuid2 ) = match_a_cache_file( '/tmp/truc/123_456' ), 'match_a_cache_file: /tmp/truc/123_456' ) ; ok( '123' eq $tuid1, 'match_a_cache_file: /tmp/truc/123_456 1' ) ; ok( '456' eq $tuid2, 'match_a_cache_file: /tmp/truc/123_456 2' ) ; ok( ( $tuid1, $tuid2 ) = match_a_cache_file( '/lala123_456' ), 'match_a_cache_file: NO /lala123_456' ) ; ok( ! $tuid1, 'match_a_cache_file: /lala123_456 1' ) ; ok( ! $tuid2, 'match_a_cache_file: /lala123_456 2' ) ; -- sub tests_clean_cache { note( 'Entering tests_clean_cache()' ) ; ok( ( not -d 'W/tmp/cache/G1/G2' or rmtree( 'W/tmp/cache/G1/G2' )), 'clean_cache: rmtree W/tmp/cache/G1/G2' ) ; ok( mkpath( 'W/tmp/cache/G1/G2' ), 'clean_cache: mkpath W/tmp/cache/G1/G2' ) ; my @test_files_cache = ( qw( W/tmp/cache/G1/G2/100_200 W/tmp/cache/G1/G2/101_201 W/tmp/cache/G1/G2/120_220 W/tmp/cache/G1/G2/142_242 W/tmp/cache/G1/G2/143_243 W/tmp/cache/G1/G2/177_277 W/tmp/cache/G1/G2/177_377 W/tmp/cache/G1/G2/177_777 W/tmp/cache/G1/G2/155_255 ) ) ; ok( touch(@test_files_cache), 'clean_cache: touch W/tmp/cache/G1/G2/...' ) ; ok( -f 'W/tmp/cache/G1/G2/100_200', 'clean_cache: 100_200 before' ); ok( -f 'W/tmp/cache/G1/G2/142_242', 'clean_cache: 142_242 before' ); ok( -f 'W/tmp/cache/G1/G2/177_277', 'clean_cache: 177_277 before' ); ok( -f 'W/tmp/cache/G1/G2/177_377', 'clean_cache: 177_377 before' ); ok( -f 'W/tmp/cache/G1/G2/177_777', 'clean_cache: 177_777 before' ); ok( -f 'W/tmp/cache/G1/G2/155_255', 'clean_cache: 155_255 before' ); my $cache = { 142 => 242, 177 => 777, } ; -- 242 => q{}, 777 => q{}, } ; ok( clean_cache( \@test_files_cache, $cache, $all_1, $all_2 ), 'clean_cache: ' ) ; ok( ! -f 'W/tmp/cache/G1/G2/100_200', 'clean_cache: 100_200 after' ); ok( -f 'W/tmp/cache/G1/G2/142_242', 'clean_cache: 142_242 after' ); ok( ! -f 'W/tmp/cache/G1/G2/177_277', 'clean_cache: 177_277 after' ); ok( ! -f 'W/tmp/cache/G1/G2/177_377', 'clean_cache: 177_377 after' ); ok( -f 'W/tmp/cache/G1/G2/177_777', 'clean_cache: 177_777 after' ); ok( ! -f 'W/tmp/cache/G1/G2/155_255', 'clean_cache: 155_255 after' ); note( 'Leaving tests_clean_cache()' ) ; return ; } sub tests_clean_cache_2 { note( 'Entering tests_clean_cache_2()' ) ; ok( ( not -d 'W/tmp/cache/G1/G2' or rmtree( 'W/tmp/cache/G1/G2' )), 'clean_cache_2: rmtree W/tmp/cache/G1/G2' ) ; ok( mkpath( 'W/tmp/cache/G1/G2' ), 'clean_cache_2: mkpath W/tmp/cache/G1/G2' ) ; my @test_files_cache = ( qw( W/tmp/cache/G1/G2/100_200 W/tmp/cache/G1/G2/101_201 W/tmp/cache/G1/G2/120_220 W/tmp/cache/G1/G2/142_242 W/tmp/cache/G1/G2/143_243 W/tmp/cache/G1/G2/177_277 W/tmp/cache/G1/G2/177_377 W/tmp/cache/G1/G2/177_777 W/tmp/cache/G1/G2/155_255 ) ) ; ok( touch(@test_files_cache), 'clean_cache_2: touch W/tmp/cache/G1/G2/...' ) ; ok( -f 'W/tmp/cache/G1/G2/100_200', 'clean_cache_2: 100_200 before' ); ok( -f 'W/tmp/cache/G1/G2/142_242', 'clean_cache_2: 142_242 before' ); ok( -f 'W/tmp/cache/G1/G2/177_277', 'clean_cache_2: 177_277 before' ); ok( -f 'W/tmp/cache/G1/G2/177_377', 'clean_cache_2: 177_377 before' ); ok( -f 'W/tmp/cache/G1/G2/177_777', 'clean_cache_2: 177_777 before' ); ok( -f 'W/tmp/cache/G1/G2/155_255', 'clean_cache_2: 155_255 before' ); my $cache = { 142 => 242, 177 => 777, } ; -- ok( clean_cache( \@test_files_cache, $cache, $all_1, $all_2 ), 'clean_cache_2: ' ) ; ok( -f 'W/tmp/cache/G1/G2/100_200', 'clean_cache_2: 100_200 after' ); ok( -f 'W/tmp/cache/G1/G2/142_242', 'clean_cache_2: 142_242 after' ); ok( ! -f 'W/tmp/cache/G1/G2/177_277', 'clean_cache_2: 177_277 after' ); ok( ! -f 'W/tmp/cache/G1/G2/177_377', 'clean_cache_2: 177_377 after' ); ok( -f 'W/tmp/cache/G1/G2/177_777', 'clean_cache_2: 177_777 after' ); ok( ! -f 'W/tmp/cache/G1/G2/155_255', 'clean_cache_2: 155_255 after' ); note( 'Leaving tests_clean_cache_2()' ) ; return ; } -- sub tests_mkpath { note( 'Entering tests_mkpath()' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' )), 'mkpath: mkpath W/tmp/tests/' ) ; SKIP: { skip( 'Tests only for Unix', 10 ) if ( 'MSWin32' eq $OSNAME ) ; my $long_path_unix = '123456789/' x 30 ; ok( ( -d "W/tmp/tests/long/$long_path_unix" or mkpath( "W/tmp/tests/long/$long_path_unix" ) ), 'mkpath: mkpath 300 char' ) ; ok( -d "W/tmp/tests/long/$long_path_unix", 'mkpath: mkpath > 300 char verified' ) ; ok( ( -d "W/tmp/tests/long/$long_path_unix" and rmtree( 'W/tmp/tests/long/' ) ), 'mkpath: rmtree 300 char' ) ; ok( ! -d "W/tmp/tests/long/$long_path_unix", 'mkpath: rmtree 300 char verified' ) ; ok( ( -d 'W/tmp/tests/trailing_dots...' or mkpath( 'W/tmp/tests/trailing_dots...' ) ), 'mkpath: mkpath trailing_dots...' ) ; ok( -d 'W/tmp/tests/trailing_dots...', 'mkpath: mkpath trailing_dots... verified' ) ; ok( ( -d 'W/tmp/tests/trailing_dots...' and rmtree( 'W/tmp/tests/trailing_dots...' ) ), 'mkpath: rmtree trailing_dots...' ) ; ok( ! -d 'W/tmp/tests/trailing_dots...', 'mkpath: rmtree trailing_dots... verified' ) ; eval { ok( 1 / 0, 'mkpath: divide by 0' ) ; } or ok( 1, 'mkpath: can not divide by 0' ) ; ok( 1, 'mkpath: still alive' ) ; } ; -- eval { ok( ( -d $long_path_300 or mkpath( $long_path_300 ) ), 'mkpath: create a path with 300 characters' ) ; } or ok( 1, 'mkpath: can not create a path with 300 characters' ) ; ok( ( ( ! -d $long_path_300 ) or -d $long_path_300 and rmtree( $long_path_300 ) ), 'mkpath: rmtree the 300 character path' ) ; ok( 1, 'mkpath: still alive' ) ; ok( ( -d 'W/tmp/tests/trailing_dots...' or mkpath( 'W/tmp/tests/trailing_dots...' ) ), 'mkpath: mkpath trailing_dots...' ) ; ok( -d 'W/tmp/tests/trailing_dots...', 'mkpath: mkpath trailing_dots... verified' ) ; ok( ( -d 'W/tmp/tests/trailing_dots...' and rmtree( 'W/tmp/tests/trailing_dots...' ) ), 'mkpath: rmtree trailing_dots...' ) ; ok( ! -d 'W/tmp/tests/trailing_dots...', 'mkpath: rmtree trailing_dots... verified' ) ; } ; note( 'Leaving tests_mkpath()' ) ; -- sub tests_touch { note( 'Entering tests_touch()' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' )), 'touch: mkpath W/tmp/tests/' ) ; ok( 1 == touch( 'W/tmp/tests/lala'), 'touch: W/tmp/tests/lala') ; ok( 1 == touch( 'W/tmp/tests/\y'), 'touch: W/tmp/tests/\y') ; ok( 0 == touch( '/no/no/no/aaa'), 'touch: not /aaa') ; ok( 1 == touch( 'W/tmp/tests/lili', 'W/tmp/tests/lolo'), 'touch: 2 files') ; ok( 0 == touch( 'W/tmp/tests/\y', '/no/no/aaa'), 'touch: 2 files, 1 fails' ) ; note( 'Leaving tests_touch()' ) ; return ; } -- sub tests_firstline { note( 'Entering tests_firstline()' ) ; is( q{}, firstline( 'W/tmp/tests/noexist.txt' ), 'firstline: getting empty string from inexisting W/tmp/tests/noexist.txt' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'firstline: mkpath W/tmp/tests/' ) ; is( "blabla\n" , string_to_file( "blabla\n", 'W/tmp/tests/firstline.txt' ), 'firstline: put blabla in W/tmp/tests/firstline.txt' ) ; is( 'blabla' , firstline( 'W/tmp/tests/firstline.txt' ), 'firstline: get blabla from W/tmp/tests/firstline.txt' ) ; is( q{} , string_to_file( q{}, 'W/tmp/tests/firstline2.txt' ), 'firstline: put empty string in W/tmp/tests/firstline2.txt' ) ; is( q{} , firstline( 'W/tmp/tests/firstline2.txt' ), 'firstline: get empty string from W/tmp/tests/firstline2.txt' ) ; is( "\n" , string_to_file( "\n", 'W/tmp/tests/firstline3.txt' ), 'firstline: put CR in W/tmp/tests/firstline3.txt' ) ; is( q{} , firstline( 'W/tmp/tests/firstline3.txt' ), 'firstline: get empty string from W/tmp/tests/firstline3.txt' ) ; is( "blabla\nTiti\n" , string_to_file( "blabla\nTiti\n", 'W/tmp/tests/firstline4.txt' ), 'firstline: put blabla\nTiti\n in W/tmp/tests/firstline4.txt' ) ; is( 'blabla' , firstline( 'W/tmp/tests/firstline4.txt' ), 'firstline: get blabla from W/tmp/tests/firstline4.txt' ) ; note( 'Leaving tests_firstline()' ) ; return ; } -- sub tests_secondline { note( 'Entering tests_secondline()' ) ; is( q{}, secondline( 'W/tmp/tests/noexist.txt' ), 'secondline: getting empty string from inexisting W/tmp/tests/noexist.txt' ) ; is( q{}, secondline( 'W/tmp/tests/noexist.txt', 2 ), 'secondline: 2nd getting empty string from inexisting W/tmp/tests/noexist.txt' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'secondline: mkpath W/tmp/tests/' ) ; is( "L1\nL2\nL3\nL4\n" , string_to_file( "L1\nL2\nL3\nL4\n", 'W/tmp/tests/secondline.txt' ), 'secondline: put L1\nL2\nL3\nL4\n in W/tmp/tests/secondline.txt' ) ; is( 'L2' , secondline( 'W/tmp/tests/secondline.txt' ), 'secondline: get L2 from W/tmp/tests/secondline.txt' ) ; note( 'Leaving tests_secondline()' ) ; return ; } -- sub tests_nthline { note( 'Entering tests_nthline()' ) ; is( q{}, nthline( 'W/tmp/tests/noexist.txt' ), 'nthline: getting empty string from inexisting W/tmp/tests/noexist.txt' ) ; is( q{}, nthline( 'W/tmp/tests/noexist.txt', 2 ), 'nthline: 2nd getting empty string from inexisting W/tmp/tests/noexist.txt' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'nthline: mkpath W/tmp/tests/' ) ; is( "L1\nL2\nL3\nL4\n" , string_to_file( "L1\nL2\nL3\nL4\n", 'W/tmp/tests/nthline.txt' ), 'nthline: put L1\nL2\nL3\nL4\n in W/tmp/tests/nthline.txt' ) ; is( 'L3' , nthline( 'W/tmp/tests/nthline.txt', 3 ), 'nthline: get L3 from W/tmp/tests/nthline.txt' ) ; note( 'Leaving tests_nthline()' ) ; return ; } -- is( undef, file_to_array( ), 'file_to_array: no args => undef' ) ; is( undef, file_to_array( '/noexist' ), 'file_to_array: /noexist => undef' ) ; is( undef, file_to_array( '/' ), 'file_to_array: reading a directory => undef' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'file_to_array: mkpath W/tmp/tests/' ) ; is( "L1\nL2\nL3\nL4\n" , string_to_file( "L1\nL2\nL3\nL4\n", 'W/tmp/tests/file_to_array.txt' ), 'file_to_array: put L1\nL2\nL3\nL4\n in W/tmp/tests/file_to_array.txt' ) ; is_deeply( [ "L1\n", "L2\n", "L3\n", "L4\n" ] , [ file_to_array( 'W/tmp/tests/file_to_array.txt' ) ], 'file_to_array: get back L1\n L2\n L3\n L4\n from W/tmp/tests/file_to_array.txt' ) ; note( 'Leaving tests_file_to_array()' ) ; return ; } -- is( undef, file_to_string( ), 'file_to_string: no args => undef' ) ; is( undef, file_to_string( '/noexist' ), 'file_to_string: /noexist => undef' ) ; is( undef, file_to_string( '/' ), 'file_to_string: reading a directory => undef' ) ; ok( file_to_string( $PROGRAM_NAME ), 'file_to_string: reading myself' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'file_to_string: mkpath W/tmp/tests/' ) ; is( 'lilili', string_to_file( 'lilili', 'W/tmp/tests/canbewritten' ), 'file_to_string: string_to_file filling W/tmp/tests/canbewritten with lilili' ) ; is( 'lilili', file_to_string( 'W/tmp/tests/canbewritten' ), 'file_to_string: reading W/tmp/tests/canbewritten is lilili' ) ; is( q{}, string_to_file( q{}, 'W/tmp/tests/empty' ), 'file_to_string: string_to_file filling W/tmp/tests/empty with empty string' ) ; is( q{}, file_to_string( 'W/tmp/tests/empty' ), 'file_to_string: reading W/tmp/tests/empty is empty' ) ; note( 'Leaving tests_file_to_string()' ) ; return ; } -- note( 'Entering tests_string_to_file()' ) ; is( undef, string_to_file( ), 'string_to_file: no args => undef' ) ; is( undef, string_to_file( 'lalala' ), 'string_to_file: one arg => undef' ) ; is( undef, string_to_file( 'lalala', '.' ), 'string_to_file: writing a directory => undef' ) ; ok( (-d 'W/tmp/tests/' or mkpath( 'W/tmp/tests/' ) ), 'string_to_file: mkpath W/tmp/tests/' ) ; is( 'lalala', string_to_file( 'lalala', 'W/tmp/tests/canbewritten' ), 'string_to_file: W/tmp/tests/canbewritten with lalala' ) ; is( q{}, string_to_file( q{}, 'W/tmp/tests/empty' ), 'string_to_file: W/tmp/tests/empty with empty string' ) ; SKIP: { Readonly my $NB_UNX_tests_string_to_file => 1 ; skip( 'Not on Unix non-root', $NB_UNX_tests_string_to_file ) if ('MSWin32' eq $OSNAME or '0' eq $EFFECTIVE_USER_ID ) ; is( undef, string_to_file( 'lalala', '/cantouch' ), 'string_to_file: /cantouch denied => undef' ) ; -- return backtick( $command ) ; } sub search_dyn_lib_locale_linux { my $command = qq{ lsof -p $PROCESS_ID | grep ' REG ' | grep -v '/tmp/par-' | grep '\.so' } ; myprint( "Search non embeded dynamic libs with the command: $command\n" ) ; return backtick( $command ) ; } sub search_dyn_lib_locale_MSWin32 -- sub tests_logfileprepa { note( 'Entering tests_logfileprepa()' ) ; is( undef, logfileprepa( ), 'logfileprepa: no args => undef' ) ; my $logfile = 'W/tmp/tests/tests_logfileprepa.txt' ; is( 1, logfileprepa( $logfile ), 'logfileprepa: W/tmp/tests/tests_logfileprepa.txt => 1' ) ; note( 'Leaving tests_logfileprepa()' ) ; return ; } -- my $mysync = {} ; is( undef, teelaunch( $mysync ), 'teelaunch: arg empty {} => undef' ) ; is( undef, teelaunch( $mysync, '' ), 'teelaunch: empty string => undef' ) ; # First time, learning IO::Tee intrasics my $tee = teelaunch( $mysync, 'W/tmp/tests/tests_teelaunch.txt' ) ; isa_ok( $tee, 'IO::Tee', 'teelaunch: logfile W/tmp/tests/tests_teelaunch.txt' ) ; is( 1, print( $tee "Hi!\n" ), 'teelaunch: write Hi!') ; is( "Hi!\n", file_to_string( 'W/tmp/tests/tests_teelaunch.txt' ), 'teelaunch: reading W/tmp/tests/tests_teelaunch.txt is Hi!\n' ) ; is( 1, print( $tee "Hoo\n" ), 'teelaunch: write Hoo') ; is( "Hi!\nHoo\n", file_to_string( 'W/tmp/tests/tests_teelaunch.txt' ), 'teelaunch: reading W/tmp/tests/tests_teelaunch.txt is Hi!\nHoo\n' ) ; # closing file handle so tee won't be happy ($tee->handles)[0]->close ; is( undef, print( $tee "Argh1\n" ), 'teelaunch: write Argh1') ; is( undef, print( $tee "Argh2\n" ), 'teelaunch: write Argh2') ; # write not done is( "Hi!\nHoo\n", file_to_string( 'W/tmp/tests/tests_teelaunch.txt' ), 'teelaunch: reading W/tmp/tests/tests_teelaunch.txt is still Hi!\nHoo\n' ) ; print join( ' ', $tee->handles ), "\n"; is( 2, scalar $tee->handles, 'teelaunch: 2 handles') ; shift @{*{$tee}}; print join(' ', $tee->handles), "\n" ; is( 1, scalar $tee->handles, 'teelaunch: 1 handle') ; -- # will not print anything now is( 0, scalar $tee->handles, 'teelaunch: 0 handle') ; is( 1, print( $tee "Argh 4\n" ), 'teelaunch: write Argh4 no') ; # Second time, lesson learnt IO::Tee $tee = teelaunch( $mysync, 'W/tmp/tests/tests_teelaunch2.txt' ) ; isa_ok( $tee, 'IO::Tee' , 'teelaunch: W/tmp/tests/tests_teelaunch2.txt' ) ; is( 1, print( $tee "Hi!\n" ), 'teelaunch: write Hi!') ; is( "Hi!\n", file_to_string( 'W/tmp/tests/tests_teelaunch2.txt' ), 'teelaunch: reading W/tmp/tests/tests_teelaunch2.txt is Hi!\n' ) ; is( 1, print( $tee "Hoo\n" ), 'teelaunch: write Hoo') ; is( "Hi!\nHoo\n", file_to_string( 'W/tmp/tests/tests_teelaunch2.txt' ), 'teelaunch: reading W/tmp/tests/tests_teelaunch2.txt is Hi!\nHoo\n' ) ; is( 1, teefinish( $tee ), 'teefinish: return 1') ; is( 1, print( $tee "Argh1\n" ), 'teelaunch: write Argh1') ; is( 1, print( $tee "Argh2\n" ), 'teelaunch: write Argh2') ; is( "Hi!\nHoo\n", file_to_string( 'W/tmp/tests/tests_teelaunch2.txt' ), 'teelaunch: reading W/tmp/tests/tests_teelaunch2.txt is still Hi!\nHoo\n' ) ; is( 1, teefinish( $tee ), 'teefinish: still return 1') ; note( 'Leaving tests_teelaunch()' ) ; return ; } -- my $mysync = { } ; is( undef, get_options_extra( $mysync ), 'get_options_extra: undef => undef' ) ; my $cwd_save = getcwd( ) ; ok( (-d 'W/tmp/tests/options_extra/' or mkpath( 'W/tmp/tests/options_extra/' )), 'get_options_extra: mkpath W/tmp/tests/options_extra/' ) ; chdir 'W/tmp/tests/options_extra/' ; is( '--debugimap1', string_to_file( '--debugimap1', 'options_extra.txt' ), 'get_options_extra: string_to_file filling options_extra.txt with --debugimap1' ) ; is( '--debugimap1', file_to_string( 'options_extra.txt' ), 'get_options_extra: reading options_extra.txt is --debugimap1' ) ; -- if ( ! $mysync->{ testsdebug } ) { skip 'No test in normal run' ; } note( 'Entering testsdebug()' ) ; #ok( ( ( not -d 'W/tmp/tests' ) or rmtree( 'W/tmp/tests/' ) ), 'testsdebug: rmtree W/tmp/tests' ) ; #tests_check_binary_embed_all_dyn_libs( ) ; #tests_killpid_by_parent( ) ; #tests_killpid_by_brother( ) ; #tests_kill_zero( ) ; #tests_connect_socket( ) ;; fail impose+-0.2-alt2.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/impose: $ grep -A5 -B5 /tmp/ /usr/bin/impose $ybot=30 unless $ybot; $pages=6 unless defined $pages; $rotdir="L" unless $rotdir; $filename = shift or do { $filename = "/tmp/$ENV{USER}-tmp.ps"; open(TMP, ">$filename"); while(<>) { print TMP; } close(TMP); $do_stdout++; $do_erase_tmp++; -- $_=; @oddbbox=split; $_=; @evenbbox=split; @oddbbox = @evenbbox unless @evenbbox; close(BB); } elsif ($lastbbox && -e "/tmp/bboxx-$ENV{USER}") { open(BB,"/tmp/bboxx-$ENV{USER}"); $_=; @oddbbox=split; $_=; @evenbbox=split; close(BB); # print "oddbbox = @oddbbox\n"; # print "evenbbox = @evenbbox\n"; -- } @evenbbox = @oddbbox if $noevenodd; # record the bboxx information open(BB, ">/tmp/bboxx-$ENV{USER}"); print BB "@oddbbox\n@evenbbox\n"; close(BB); # Do page calculations $oddwidth = $oddbbox[2]-$oddbbox[0];; fail installer-alterator-livecd-stage2-0.1.2-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/livecd-start: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/livecd-start } run_initinstall() { # do nothing if scripts have already been executed if [ -s /tmp/initinstall.log ]; then # notify interface about finish notify "done #t" return 0 fi -- # run scripts for f in "$initinstall_dir"/* "$livecd_initinstall_dir"/*; do [ -f "$f" -a -x "$f" ] || continue echo "Running $f" >>/tmp/initinstall.log if "$f" >>/tmp/initinstall.log 2>&1; then echo DONE >>/tmp/initinstall.log notify "package \"${f##*/}\" step $counter" counter=$(($counter + 1)) printf '%s %s - OK\n' "$(date +%T)" "$f" >&2 else echo FAILED >>/tmp/initinstall.log notify "error \"${f##*/}\"" printf '%s %s - FAILED\n' "$(date +%T)" "$f" >&2 break fi done; fail installer-alterator-livecd-stage3-0.1.2-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/livecd-finish: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/livecd-finish # run scripts export PATH=/run/install2/bin:$PATH for f in "$run_postinstall_dir"/* "$livecd_postinstall_dir/*"; do [ -f "$f" -a -x "$f" ] || continue echo "Running $f" >>/tmp/postinstall.log if "$f" >>/tmp/postinstall.log 2>&1; then echo DONE >>/tmp/postinstall.log else echo FAILED >>/tmp/postinstall.log fi done rm -f /_NEW_SYSTEM_ }; fail installer-alterator-pkg-3.1.13-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/alterator/backend3/pkg-size: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/pkg-size echo "pkg-size:start" echo "$in_lists" > "$pkg_list_file" local tmpfile="$(make_manifest ${in_lists//;/ })" if [ -s "$tmpfile" ]; then stderr_handler & echo "n"|apt-get --simple-output install --manifest "$tmpfile" 2>> /tmp/install2.log || rc=$? else echo "apt-get:status:disk-size:0k" fi rm -f "$tmpfile" # ignore the no free space error before partitioning the disk local no_space_err_msg="E: You don't have enough free space in " if [[ ! -e /tmp/fstab && "$(tail -n 1 /tmp/install2.log)" == "$no_space_err_msg"* && "$rc" == "100" ]]; then rc=1 fi echo "pkg-size:finish:$rc" } Found error in /usr/lib/alterator/backend3/pkg-install: $ grep -A5 -B5 /tmp/ /usr/lib/alterator/backend3/pkg-install [ ! -f "$destdir"/_NEW_SYSTEM_ ] || export DURING_INSTALL=1 [ -z "$AUTOINSTALL" ] || in_auto='#t' case "$in__objects" in /) if test_bool "$in_auto"; then make_apt < /dev/null &> /tmp/pkg-install.log else start_pipe &> /tmp/pkg-install.log fi ;; notify) write_pipe "$in_message" ;;; fail installer-distro-altlinux-server-stage2-7.0.2-alt3.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/install2/initinstall.d/05-vm-profile: $ grep -A5 -B5 /tmp/ /usr/share/install2/initinstall.d/05-vm-profile #!/bin/sh # see also http://www.altlinux.org/Autoinstall message() { echo "vm-profile: $*" >>/tmp/vm-profile.log; } mem="$(sed -n '/^MemTotal/s/[^0-9]//gp' /proc/meminfo)" # in kB finded_disks_size="$(find /sys/block/{hd,sd,vd,nvme,mmc}*/size 2> /dev/null)" [ -n "$finded_disks_size" ] &&; fail installer-distro-centaurus-stage2-11.0-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/install2/preinstall.d/35-disable-systemd-networkd.sh: $ grep -A5 -B5 /tmp/ /usr/share/install2/preinstall.d/35-disable-systemd-networkd.sh mkdir -p $i shell_config_set $i/options SYSTEMD_CONTROLLED no shell_config_set $i/options DISABLED no done } >> /tmp/install2.log 2>&1 : Found error in /usr/share/install2/postinstall.d/66-setup-net-services.sh: $ grep -A5 -B5 /tmp/ /usr/share/install2/postinstall.d/66-setup-net-services.sh if [ -z "$SYSTEMD_CONTROLLED" ] ; then chroot $destdir systemctl disable systemd-networkd.service chroot $destdir systemctl disable systemd-resolved.service fi } >> /tmp/install2.log 2>&1 :; fail installer-scripts-remount-stage2-0.7.0-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/sbin/install2-remount-functions: $ grep -A5 -B5 /tmp/ /usr/sbin/install2-remount-functions start_lvm && start_luks && mount_chroot && systemd_tmpfiles_chroot && set_active \ ) >& /tmp/remount.log || return $? } remount_destination() { # remount destdir after alterator-vm # no mount chroot filesystem (/dev, /proc, /sys) -- start_mdraid && start_lvm && start_luks && mount_destination && set_active \ ) >& /tmp/remount.log || return $? } # avoid automatic rpm shell.req dependency MULTIPATHD=/sbin/multipathd MDADM=/sbin/mdadm LVM=/sbin/lvm CRYPTSETUP=/sbin/cryptsetup CRYPTSETUP_KEY=/tmp/empty PUTFILE=/usr/share/make-initrd/tools/put-file BLKID="blkid -c /dev/null" # alterator-vm should leave LUKS containers # with initial empty password, see #28200 -- # for installer-feature-desktop-other-fs, see also #29005 save_blkid_state() { find /dev/mapper -type l \ | xargs -r $BLKID \ > /tmp/blkid.dm } populate_fstab() { [ ! -f /tmp/fstab ] || cat /tmp/fstab >> "$destdir/etc/fstab" } copy_chroot_binaries() { useputfile= if [ -x "$destdir$PUTFILE" ]; then useputfile='yes' binddir="$(mktemp -d "$destdir/tmp/copy_chroot_binaries.XXXXXXXXX")" workdir="${binddir#$destdir}" mount --bind / "$binddir" else echo "remount: file does not exist or is not available for execution: $destdir$PUTFILE" >&2 fi -- } stop_mdraid() { # saving state is only important *after* evms if [ -f /proc/mdstat -a -x "$MDADM" ]; then "$MDADM" --examine --scan > /tmp/mdadm.conf "$MDADM" -v --stop --scan fi } start_mdraid() { if [ -s /tmp/mdadm.conf -a -x "$MDADM" ]; then # an arbitrary value of the year: packages installed already sysctl -w dev.raid.speed_limit_max=1000000 # chroot's mdadm.conf populated by 45-mdadm.sh "$MDADM" -v --assemble --run --scan --config=/tmp/mdadm.conf ||: fi } start_multipath() { if [ -x "$MULTIPATHD" ]; then -- done fi } mount_destfs() { # depends on /tmp/fstab just like 10-fstab.sh local mpoint="$1" mountpoint -q "$destdir""$mpoint" && return 0 local destfs="$(awk -v mpoint="$mpoint" '{ if ($2==mpoint) print $1 }' < /tmp/fstab)" case "$destfs" in UUID=*) destfs="`$BLKID -U ${destfs#UUID=}`" ;; LABEL=*) -- echo "by ${UUID:+UUID=$UUID}${LABEL:+LABEL=$LABEL}" time $BLKID return 3 fi >&2 mountopts="$(grep "[[:space:]]$mpoint[[:space:]]" /tmp/fstab | awk '{ print $4 }')" mount -v "$destfs" "$destdir$mpoint" -o "$mountopts" || return 3 } mount_chroot() { -- ! mountpoint "$destdir" || return 1 } # mount destdir without make chroot, after umount_destination mount_destination() { [ -s /tmp/fstab ] || return 4 for mpoint in $(awk '{ print $2 }' < /tmp/fstab | grep / | sort); do mount_destfs $mpoint || return $? done } systemd_tmpfiles_chroot() {; fail kdump-tools-checkinstall-1.8-alt8.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/kdump-tools/kdump-checkinstall.sh: $ grep -A5 -B5 /tmp/ /usr/lib/kdump-tools/kdump-checkinstall.sh { # shellcheck disable=SC2026 sed -i -e '/#KDUMP_CMDLINE_REMOVE/s/#//' \ -e '/^KDUMP_CMDLINE_REMOVE/s/"$/ quiet"/'\ /etc/sysconfig/kdump-tools vm-create-image /tmp/i } vm_run_cleanup() { rm /tmp/i rm /tmp/log rm -f /tmp/vm.* rm -f /tmp/initramfs-*.img } vm_cause_panic() { df -h -- find /var/crash -type f -perm /77 -ls -exec false {} + } vm_run_panic() { timeout 100 vm-run --rootfs=/tmp/i --kvm=only --append='crashkernel=256M' "$0" vm_cause_panic |& tee /tmp/log \ || echo 'Failure is expected because of crash.' grep "sysrq: Trigger a crash" /tmp/log grep "Kernel panic - not syncing: sysrq triggered crash" /tmp/log grep "Kdump: loaded" /tmp/log } vm_run_analyzer() { timeout 100 vm-run --rootfs=/tmp/i --kvm=only "$0" vm_analyzer } if [ $# -eq 0 ]; then [ -w /dev/kvm ] || { echo >&2 "/dev/kvm is needed to run this script."; fail kselftests-6.9-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/kselftests/net/mptcp/mptcp_join.sh: $ grep -A5 -B5 /tmp/ /usr/lib/kselftests/net/mptcp/mptcp_join.sh cappid=$! sleep 1 fi NSTAT_HISTORY=/tmp/${listener_ns}.nstat ip netns exec ${listener_ns} \ nstat -n NSTAT_HISTORY=/tmp/${connector_ns}.nstat ip netns exec ${connector_ns} \ nstat -n local extra_args if [ $speed = "fast" ]; then extra_args="-j" -- if $capture; then sleep 1 kill $cappid fi NSTAT_HISTORY=/tmp/${listener_ns}.nstat ip netns exec ${listener_ns} \ nstat | grep Tcp > /tmp/${listener_ns}.out NSTAT_HISTORY=/tmp/${connector_ns}.nstat ip netns exec ${connector_ns} \ nstat | grep Tcp > /tmp/${connector_ns}.out if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then fail_test "client exit code $retc, server $rets" echo -e "\nnetns ${listener_ns} socket stat for ${port}:" 1>&2 ip netns exec ${listener_ns} ss -Menita 1>&2 -o "sport = :$port" cat /tmp/${listener_ns}.out echo -e "\nnetns ${connector_ns} socket stat for ${port}:" 1>&2 ip netns exec ${connector_ns} ss -Menita 1>&2 -o "dport = :$port" cat /tmp/${connector_ns}.out cat "$capout" return 1 fi Found error in /usr/lib/kselftests/net/mptcp/mptcp_connect.sh: $ grep -A5 -B5 /tmp/ /usr/lib/kselftests/net/mptcp/mptcp_connect.sh local cappid_connector=$! sleep 1 fi NSTAT_HISTORY=/tmp/${listener_ns}.nstat ip netns exec ${listener_ns} \ nstat -n if [ ${listener_ns} != ${connector_ns} ]; then NSTAT_HISTORY=/tmp/${connector_ns}.nstat ip netns exec ${connector_ns} \ nstat -n fi local stat_synrx_last_l local stat_ackrx_last_l -- sleep 1 kill ${cappid_listener} kill ${cappid_connector} fi NSTAT_HISTORY=/tmp/${listener_ns}.nstat ip netns exec ${listener_ns} \ nstat | grep Tcp > /tmp/${listener_ns}.out if [ ${listener_ns} != ${connector_ns} ]; then NSTAT_HISTORY=/tmp/${connector_ns}.nstat ip netns exec ${connector_ns} \ nstat | grep Tcp > /tmp/${connector_ns}.out fi local duration duration=$((stop-start)) result_msg+=" # time=${duration}ms" printf "(duration %05sms) " "${duration}" if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then mptcp_lib_pr_fail "client exit code $retc, server $rets" echo -e "\nnetns ${listener_ns} socket stat for ${port}:" 1>&2 ip netns exec ${listener_ns} ss -Menita 1>&2 -o "sport = :$port" cat /tmp/${listener_ns}.out echo -e "\nnetns ${connector_ns} socket stat for ${port}:" 1>&2 ip netns exec ${connector_ns} ss -Menita 1>&2 -o "dport = :$port" [ ${listener_ns} != ${connector_ns} ] && cat /tmp/${connector_ns}.out echo cat "$capout" mptcp_lib_result_fail "${TEST_GROUP}: ${result_msg}" return 1 Found error in /usr/lib/kselftests/intel_pstate/run.sh: $ grep -A5 -B5 /tmp/ /usr/lib/kselftests/intel_pstate/run.sh # and the value of MSR 0x199 (MSR_IA32_PERF_CTL) which indicates what # pstate the cpu is in, and the value of # /sys/devices/system/cpu/intel_pstate/max_perf_pct X maximum turbo state # # Notes: In some cases several frequency values may be placed in the # /tmp/result.X files. This is done on purpose in order to catch cases # where the pstate driver may not be working at all. There is the case # where, for example, several "similar" frequencies are in the file: # # #/tmp/result.3100:1:cpu MHz : 2899.980 #/tmp/result.3100:2:cpu MHz : 2900.000 #/tmp/result.3100:3:msr 0x199: 0x1e00 #/tmp/result.3100:4:max_perf_pct 94 # # and the test will error out in those cases. The result.X file can be checked # for consistency and modified to remove the extra MHz values. The result.X # files can be re-evaluated by setting EVALUATE_ONLY to 1 below. -- ./aperf $cpu & done echo "sleeping for 5 seconds" sleep 5 grep MHz /proc/cpuinfo | sort -u > /tmp/result.freqs num_freqs=$(wc -l /tmp/result.freqs | awk ' { print $1 } ') if [ $num_freqs -ge 2 ]; then tail -n 1 /tmp/result.freqs > /tmp/result.$1 else cp /tmp/result.freqs /tmp/result.$1 fi ./msr 0 >> /tmp/result.$1 max_perf_pct=$(cat /sys/devices/system/cpu/intel_pstate/max_perf_pct) echo "max_perf_pct $max_perf_pct" >> /tmp/result.$1 for job in `jobs -p` do echo "waiting for job id $job" wait $job -- echo "The marketing frequency of the cpu is $mkt_freq MHz" echo "The maximum frequency of the cpu is $max_freq MHz" echo "The minimum frequency of the cpu is $min_freq MHz" # make a pretty table echo "Target Actual Difference MSR(0x199) max_perf_pct" | tr " " "\n" > /tmp/result.tab for freq in `seq $max_freq -100 $min_freq` do result_freq=$(cat /tmp/result.${freq} | grep "cpu MHz" | awk ' { print $4 } ' | awk -F "." ' { print $1 } ') msr=$(cat /tmp/result.${freq} | grep "msr" | awk ' { print $3 } ') max_perf_pct=$(cat /tmp/result.${freq} | grep "max_perf_pct" | awk ' { print $2 } ' ) cat >> /tmp/result.tab << EOF $freq $result_freq $((result_freq - freq)) $msr $((max_perf_pct usr max_freq)) EOF done # print the table pr -aTt -5 < /tmp/result.tab exit 0; fail linuxcnc-2.9.2-alt4.20240203.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib64/tcl/linuxcnc/ngcgui_ttt.tcl: $ grep -A5 -B5 /tmp/ /usr/lib64/tcl/linuxcnc/ngcgui_ttt.tcl #future: puts check:<$msg> #future: } #future: test ans here # hack follows: catch {set ans1 [eval exec $::ttt(exe) -? 2>/tmp/ttt.q]} catch {set ans2 [eval exec grep -c subdiv /tmp/ttt.q]} catch {file delete /tmp/ttt.q} if {[info exists ans2] && $ans2 == 1} { set ::ttt(msg) "::ttt::embedinit [_ "found truetype-tracer v4 -OK"]" return 1 } else { puts stderr "::ttt::embedinit:[_ "Note truetype-tracer v4 is required"]"; fail ltp-testsuite-20220930-alt4.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ltp/testcases/bin/smack_file_access.sh: $ grep -A5 -B5 /tmp/ /usr/lib/ltp/testcases/bin/smack_file_access.sh testfile="testfile" tst_tmpdir TST_CLEANUP=cleanup smack_notroot /bin/sh -c "echo InitialData 2>/tmp/smack_fail.log > $testfile" if [ ! -f "$testfile" ]; then tst_brkm TFAIL "Test file \"$testfile\" can not be created." fi setfattr --name=security.SMACK64 --value=TheOther "$testfile" Found error in /usr/lib/ltp/testcases/bin/sched_stress.sh: $ grep -A5 -B5 /tmp/ /usr/lib/ltp/testcases/bin/sched_stress.sh # their bootfiles other locations. export KERNEL=./sched_datafile touch $KERNEL echo 0.000000 > sch.measure export RAWDEV=`df / | grep dev | awk {'print $1'}` sched_driver -s 0.9 -t 0.02 -p 2 > /tmp/tmp$$ tail -n 5 /tmp/tmp$$ rm -rf /tmp/tmp$$ ./sched_datafile sch.measure Found error in /usr/lib/ltp/testcases/bin/run_cpuctl_test_fj.sh: $ grep -A5 -B5 /tmp/ /usr/lib/ltp/testcases/bin/run_cpuctl_test_fj.sh export TCID="cpuctl_test_fj" export TST_TOTAL=22 export TST_COUNT=1 CPUCTL="/dev/cpuctl" CPUCTL_TMP="/tmp/cpuctl_tmp" SLEEP_SEC=5 # Create $CPUCTL & mount the cgroup file system with cpu controller # clean any group created earlier (if any) setup() -- then tst_resm TFAIL "Err: Init value is not 1024" return 1; fi ps -eo pid,rtprio > /tmp/pids_file1 & pspid=$! wait $pspid cat /tmp/pids_file1 | grep '-' | tr -d '-' | tr -d ' ' | \ grep -v "$pspid" > /tmp/pids_file2 while read pid do task=`cat $CPUCTL/tasks | grep "\b$pid\b"` if [ -z $task ] then tst_resm TFAIL "Err: Some normal tasks aren't in the root group" return 1 fi done < /tmp/pids_file2 } # create a child directory case2 () { -- return 1; fi [ -d "$CPUCTL/tmp" ] || return 1 [ -f "$CPUCTL/tmp/cpu.shares" ] || return 1 shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 1024 ] then return 1; fi task=`cat $CPUCTL/tmp/tasks` if [ "$task" != "" ] then return 1 fi } -- if [ $? -ne 0 ] then return 1; fi mkdir $CPUCTL/tmp/tmp1 if [ $? -ne 0 ] then return 1; fi [ -d "$CPUCTL/tmp/tmp1" ] || return 1 [ -f "$CPUCTL/tmp/tmp1/cpu.shares" ] || return 1 shares=`cat $CPUCTL/tmp/tmp1/cpu.shares` if [ $shares -ne 1024 ] then return 1; fi task=`cat $CPUCTL/tmp/tmp1/tasks` if [ "$task" != "" ] then return 1 fi } -- if [ $? -ne 0 ] then return 1; fi echo 1 > $CPUCTL/tmp/tasks if [ $? -ne 0 ] then return 1; fi tasks=`cat $CPUCTL/tmp/tasks` if [ $tasks -ne 1 ] then return 1; fi } -- if [ $? -ne 0 ] then return 1; fi ./cpuctl_fj_simple_echo 3 $CPUCTL/tmp/tasks if [ $? -ne 22 ] # define EINVAL 22 /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Invalid argument usr/ then return 1; fi tasks=`cat $CPUCTL/tmp/tasks` if [ "$tasks" != "" ] then return 1; fi } -- # echo negative into shares case7 () { mkdir $CPUCTL/tmp ./cpuctl_fj_simple_echo -1 $CPUCTL/tmp/cpu.shares if [ $? -ne 22 ] # define EINVAL 22 /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Invalid argument usr/ then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 1024 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo 0 into shares case8 () { mkdir $CPUCTL/tmp echo 0 > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 2 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo 1 into shares case9 () { mkdir $CPUCTL/tmp echo 1 > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 2 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo 2 into shares case10 () { mkdir $CPUCTL/tmp echo 2 > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 2 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo 3 into shares case11 () { mkdir $CPUCTL/tmp echo 3 > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 3 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo 2048 into shares case12 () { mkdir $CPUCTL/tmp echo 2048 > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 2048 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo MAX_SHARES into shares case13 () { mkdir $CPUCTL/tmp echo $max_shares > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ "$shares" != "$max_shares" ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo MAX_SHARES+1 into shares case14 () { mkdir $CPUCTL/tmp echo $(($max_shares+1)) > $CPUCTL/tmp/cpu.shares if [ $? -ne 0 ] then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ "$shares" != "$max_shares" ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo float number into shares case15 () { mkdir $CPUCTL/tmp ./cpuctl_fj_simple_echo 2048.23 $CPUCTL/tmp/cpu.shares if [ $? -ne 22 ] # define EINVAL 22 /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Invalid argument usr/ then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 1024 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # charactor. case16 () { mkdir $CPUCTL/tmp ./cpuctl_fj_simple_echo 2048ABC $CPUCTL/tmp/cpu.shares if [ $? -ne 22 ] # define EINVAL 22 /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Invalid argument usr/ then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 1024 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid -- # echo a string into shares. This string begins with charactors. case17 () { mkdir $CPUCTL/tmp ./cpuctl_fj_simple_echo ABC $CPUCTL/tmp/cpu.shares if [ $? -ne 22 ] # define EINVAL 22 /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Invalid argument usr/ then return 1; fi shares=`cat $CPUCTL/tmp/cpu.shares` if [ $shares -ne 1024 ] then return 1; fi ./cpuctl_fj_cpu-hog & pid=$! echo $pid > $CPUCTL/tmp/tasks /bin/kill -s SIGUSR1 $pid sleep $SLEEP_SEC /bin/kill -s SIGUSR1 $pid wait $pid; fail lua5.1-module-luasocket-3.0rc1-alt5_lr2.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/luarocks/rocks-5.1/luasocket/3.0rc1-2/test/cgi/cat: $ grep -A5 -B5 /tmp/ /usr/lib/luarocks/rocks-5.1/luasocket/3.0rc1-2/test/cgi/cat #!/bin/sh echo Content-type: text/plain echo cat > /tmp/luasocket.cat.tmp cat /tmp/luasocket.cat.tmp; fail lz11-V2-1.2-alt1.qa2.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/lz11.stopjobs: $ grep -A5 -B5 /tmp/ /usr/bin/lz11.stopjobs if [ -z "${pids}" ] ; then exit 0 fi echo "${pids}" > /tmp/lz11.terminate waitcounts=30 echo echo echo "removing all active printer jobs for --$(whoami)-- " echo " etc usr with PIDS ${pids}" -- if [ ${nonefound} == 1 ] ; then i=${waitcounts} echo -n " STOPPED!" fi done rm -f /tmp/lz11.terminate echo if [ ${nonefound} = 0 ] ; then echo "The program could not stop the prints safely." echo "Just killing the print processes now!" echo Found error in /usr/bin/lz11.foomatic: $ grep -A5 -B5 /tmp/ /usr/bin/lz11.foomatic $debug = 1; local *ERR; if ($debug) { open(ERR,">>/tmp/lz11err"); print ERR "-----------\n"; print ERR "@ARGV\n"; } else { open(ERR, ">&STDERR"); } -- # ---------------------------------------------------------- # cZ11 command line # ---------------------------------------------------------- $cz11 = "cZ11-V2 $devicez11 $sizez11 $adjustz11"; if ( $cancel == 1 ) { $cz11 = "$cz11"." --terminate=/tmp/lz11.terminate"; } elsif ( $cancel ) { $cz11 = "$cz11"." --terminate-eject=/tmp/lz11.terminate"; } $cz11 = "$cz11"." 2>>/tmp/lz11err"; # ---------------------------------------------------------- # Do it! # ---------------------------------------------------------- $invokation = "$gs -q -dBATCH -dSAFER -dNOPAUSE $devicegs $ditherppi $resgs $sizegs -sOutputFile=- - | $cz11"; if ($debug) { print ERR "$invokation \n"; } system("$invokation"); system("chmod a+rw /tmp/lz11*"); close(ERR);; fail m2300w-0.51-alt1.qa1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/m2300w-wrapper: $ grep -A5 -B5 /tmp/ /usr/bin/m2300w-wrapper # is heavy based on the Script from Rick's 'foo2zjs-wrapper' for the # Minolta Magiccolor 2300DL. # So i will leave his copyright on it. #********************************************************************* cat >> /tmp/m2300w.log <> /tmp/m2300w.log <>/tmp/m2300w.log) 3>&1 | tee /tmp/m2300w_gsout.pbm | $DRIVER $DRIVER_DEBUG $M2300WUCR $SAVETONER $PAPERCODE $MEDIACODE \ -i - -o - $COLOR $RESCODESTR | tee /tmp/m2300w.prn EOF $PREFILTER | ($GS $gsPaperCode $RES $GSDEV $GSOPT \ -sOutputFile="|cat 1>&3" $RENDERFILES - >>/tmp/m2300w.log) 3>&1 | tee_pbm | $DRIVER $DRIVER_DEBUG $M2300WUCR $SAVETONER $PAPERCODE $MEDIACODE \ -i - -o - $COLOR $RESCODESTR | tee_prn; fail make-initrd-colaboot-0.5-alt2.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/make-initrd/features/colaboot/data/scripts/post/udev/colaboot: $ grep -A5 -B5 /tmp/ /usr/share/make-initrd/features/colaboot/data/scripts/post/udev/colaboot REPLACEMENT=$(echo $ROOT |sed -r -e 's|(.*)/.*|\1|') elif echo $MACRO_NAME |grep -q "^DHCP_"; then # for this macro type we need to make sure first that network is up [ -z "$NETWORK_IS_UP" ] && network_init >&2 DHCP_OPT_NAME=$(echo $MACRO_NAME |sed -e 's/^DHCP_//') REPLACEMENT=$(get_mnf_param $DHCP_OPT_NAME /tmp/lease-info |sed -e "s/'//g") fi STR=$(echo $STR |sed -e "s|{.*}|$REPLACEMENT|") fi echo $STR } -- done } network_init() { if [ -s /tmp/lease-info ]; then # It seems network is already up NETWORK_IS_UP=1 return fi -- fi sleep .1 done if ip -o -4 addr list |grep -Fqv "inet 127.0.0.1"; then verbose "Save lease info into /tmp/lease-info" for lease in /var/lib/dhcpcd/*.lease; do iface=$(basename $lease |sed -e 's/dhcpcd-//' -e 's/\.lease$//') dhcpcd -4 -U $iface > /tmp/lease-info done NETWORK_IS_UP=1 else error "No assigned IP found. Network problem?" fi -- FORCE_CACHE_IMAGES=${clb_force_cache_images:-1} WAIT_DELAY=${ROOTDELAY:-180} verbose "CoLaBoot: root url=${ROOT}, clb_fs_size=${clb_fs_size}, clb_force_cache_images=${FORCE_CACHE_IMAGES}" RDISK=/tmp/clb-ramdisk CACHED_IMAGES=$RDISK/cached-images IMAGES_MPOINTS=$RDISK/mount-points IMG_FS_PATH=/tmp/images-fs # this location can be overrided for local HDD, NFS or iSCSI RW_LAYER_PATH=$IMAGES_MPOINTS mkdir -p $RDISK -- for MPOINT in $IMG_FS_PATH/*; do grep -q " $MPOINT " /proc/mounts && umount -l $MPOINT done [ -n "$NETWORK_IS_UP" -o -s /tmp/lease-info ] && network_down } # =========< start here >============= prepare; fail ndiswrapper-1.61-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/sbin/ndiswrapper-buginfo: $ grep -A5 -B5 /tmp/ /usr/sbin/ndiswrapper-buginfo # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA LOGFILE=`mktemp /tmp/ndiswrapper.XXXXXX` KVERS=`uname -r` log() { echo -e "$*" 2>&1 >> $LOGFILE -- log "kernel config missing" fi fi fi gzip -c $LOGFILE > /tmp/ndiswrapper-buginfo.gz echo "please attach /tmp/ndiswrapper-buginfo.gz to your bugreport!" \rm -f $LOGFILE; fail net-snmp-common-5.9.4-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/net-snmp-common-5.9.4/passtest: $ grep -A5 -B5 /tmp/ /usr/share/doc/net-snmp-common-5.9.4/passtest # Process SET requests by simply logging the assigned value # Note that such "assignments" are not persistent, # nor is the syntax or requested value validated # if [ "$1" = "-s" ]; then echo $* >> /tmp/passtest.log exit 0 fi # # GETNEXT requests - determine next valid instance; fail netinst-overlays-0.03-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/overlays-manage: $ grep -A5 -B5 /tmp/ /usr/bin/overlays-manage ExCmd() { # archive file local D D="`mktemp -d`" unsquashfs -d "$D/1" "$1" "$2" cat "$D/1/$2" find "$D" >> /tmp/log 2>&1 rm -rf "$D" } EXTMP= ADDHOSTS="" # what hosts want their hostkey on diskless DST="`logname`@`hostname`" # where to copy overlays; fail newsboat-2.31-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/newsboat/contrib/getpocket.com/create-pocket-user-token.sh: $ grep -A5 -B5 /tmp/ /usr/share/doc/newsboat/contrib/getpocket.com/create-pocket-user-token.sh # shamelessy copy this from contrib/bookmark-pinboard TMP_TOKEN=`echo $output | sed 's/^.*\"code\":"$[^"]*$".*$/\1/'` # redirect user to pocket authentication page AUTH_URL="https://getpocket.com/auth/authorize?request_token=$TMP_TOKEN&redirect_uri=https://github.com/newsboat/newsboat/blob/c8c92a17fa0862fb7a648e88723eb48cb9cb582c/contrib/getpocket.com/after_authentication.md" echo $TMP_TOKEN> /tmp/pocket_token echo "please navigate to $AUTH_URL, active the access. Then press enter" xdg-open $AUTH_URL read dontcare output=`wget --post-data "consumer_key=$APPLICATION_CONSUMER_KEY&code=$TMP_TOKEN" https://getpocket.com/v3/oauth/authorize -O - 2>/dev/null` echo $output > /tmp/input output=`echo $output | sed 's/^.*access_token=$[^&"]*$.*$/\1/'` echo $output > ~/.pocket_access_token; fail nish-functions-2.05-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/nish/functions.xterm: $ grep -A5 -B5 /tmp/ /usr/lib/nish/functions.xterm # Tackle XTerm to push response on string (e. g. ^[]50;?^G responds with fontname) # Response must end with response_end (default "t") # WARNING: this can freeze your terminal (kill awk then) _XTERM_Response() { # string [response_end [response_start [tty]]] # TODO [tty] echo "$@" > /tmp/log local XT STTY TF A2 A3 STTY=`stty -g < "$__XTTTY"` stty raw -echo < "$__XTTTY" echo -n "$1" > "$__XTTTY" test -r "$TF" || _TmpFile TF; fail ocsinventory-agent-2.10.2-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/ocsinventory-agent: $ grep -A5 -B5 /tmp/ /usr/bin/ocsinventory-agent =item B<--stdout> Print the inventory on stdout. % ocsinventory-agent --stdout > /tmp/report.xml # prepare an inventory and write it in the /tmp/report.xml file. # A file will be created. =item B<--scan-homedirs> Authorized OCS to scan home directories to increase the Virtual Machine inventory.; fail opennebula-server-6.8.0.1-alt4.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /var/lib/one/remotes/im/qemu.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/qemu.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/one.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/one.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/lxd.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/lxd.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/lxc.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/lxc.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/kvm.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/kvm.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/firecracker.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/firecracker.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/equinix.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/equinix.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/ec2.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/ec2.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE } Found error in /var/lib/one/remotes/im/az.d/monitord-client_control.sh: $ grep -A5 -B5 /tmp/ /var/lib/one/remotes/im/az.d/monitord-client_control.sh # Collectd client (Ruby) CLIENT=$DIR/${BASENAME}.rb # Collectd client PID CLIENT_PID_FILE=/tmp/one-monitord-$HID.pid # Launch the client function start_client() { rm $CLIENT_PID_FILE >/dev/null 2>&1 echo "$STDIN" | /usr/bin/env ruby $CLIENT $ARGV 2> /tmp/one-monitord-$HID.error & CLIENT_PID=$! sleep 1 if [ -z "$CLIENT_PID" ] || ! ps -p $CLIENT_PID > /dev/null; then cat /tmp/one-monitord-$HID.error exit 1 fi echo $CLIENT_PID > $CLIENT_PID_FILE }; fail otl-0.54-alt1.qa1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/otlsub: $ grep -A5 -B5 /tmp/ /usr/bin/otlsub ################################### # need to rewrite and reread file so that \n's are now processed correctly # and each line ends up as a separate array element # -- write it to temp file unlink("/tmp/tmp.otl"); open(FOUT, ">/tmp/tmp.otl"); flock(FOUT,2); print FOUT @linesout; close (FOUT); # now read it @linesout=(); open(INFO,"/tmp/tmp.otl"); @linesout=; close(INFO); # # $llength is length of linesout Found error in /usr/bin/otl: $ grep -A5 -B5 /tmp/ /usr/bin/otl #### # # need to rewrite and reread file so that \n's are now processed correctly # and each line ends up as a separate array element # -- write it to temp file open(FOUT, ">/tmp/tmp.otl"); flock(FOUT,2); print FOUT @linesout; close (FOUT); # now read it @linesout=(); open(INFO,"/tmp/tmp.otl"); @linesout=; close(INFO); $lineslength=@linesout; if ($debug); fail perl-Tapper-Cmd-5.0.12-alt1_1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/perl5/auto/Tapper/Cmd/Init/hello-world/run-hello-world.sh: $ grep -A5 -B5 /tmp/ /usr/share/perl5/auto/Tapper/Cmd/Init/hello-world/run-hello-world.sh start-tapper-daemon () { DAEMON=$1 if ps auxwww | grep -v grep | grep $DAEMON ; then kill $(ps auxwww | grep -v grep | grep $DAEMON | awk '{print $2}') fi $DAEMON > /tmp/$DAEMON-helloworld.log 2>&1 & } start-tapper-daemon tapper_reports_web_server.pl start-tapper-daemon tapper-reports-receiver start-tapper-daemon tapper-reports-api; fail phoronix-test-suite-10.8.4-alt2.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/tww3-1.0.0/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/tww3-1.0.0/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Total War WARHAMMER III" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/tww3-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/tww2-1.1.0/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/tww2-1.1.0/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Total War WARHAMMER II" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/tww2-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/twtk-1.0.3/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/twtk-1.0.3/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Three Kingdoms" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/twtk-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/twtk-1.0.2/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/twtk-1.0.2/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Three Kingdoms" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/twtk-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/twtk-1.0.1/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/twtk-1.0.1/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Three Kingdoms" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/twtk-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/thronesofbritannia-1.0.0/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/thronesofbritannia-1.0.0/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Thrones of Britannia" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/tob-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.1.0/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.1.0/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Shadow of the Tomb Raider" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" > /tmp/sotr-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" if [ -f "$GAME_PREFS/preferences" ]; then rm "$GAME_PREFS/preferences" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.1.0/interim.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.1.0/interim.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Shadow of the Tomb Raider" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" > /tmp/sotr-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" if [ -f "$GAME_PREFS/preferences" ]; then rm "$GAME_PREFS/preferences" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.0.1/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.0.1/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Shadow of the Tomb Raider" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" > /tmp/sotr-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" if [ -f "$GAME_PREFS/preferences" ]; then rm "$GAME_PREFS/preferences" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.0.0/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/shadowofthetombraider-1.0.0/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Shadow of the Tomb Raider" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" > /tmp/sotr-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" if [ -f "$GAME_PREFS/preferences" ]; then rm "$GAME_PREFS/preferences" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/riseofthetombraider-1.0.2/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/riseofthetombraider-1.0.2/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Rise of the Tomb Raider" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/rotr-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/riseofthetombraider-1.0.1/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/riseofthetombraider-1.0.1/pre.sh #!/bin/bash -e set -o xtrace exec > /tmp/test exec 2>&1 # Input settings WIDTH=$1 HEIGHT=$2 -- export HOME=$DEBUG_REAL_HOME GAME_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive/Rise of the Tomb Raider" # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/rotr-bkp-dt GAME_PREFS_BKP="${GAME_PREFS}.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/f12017-1.1.1/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/f12017-1.1.1/pre.sh #!/bin/bash set -o xtrace exec > /tmp/test exec 2>&1 export HOME=$DEBUG_REAL_HOME # Game identity FERAL_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive" -- ;; esac # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/f12017-bkp-dt GAME_PREFS_BKP="${FERAL_PREFS}/F1 2017.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}" Found error in /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/f12017-1.1.0/pre.sh: $ grep -A5 -B5 /tmp/ /usr/share/phoronix-test-suite/ob-cache/test-profiles/pts/f12017-1.1.0/pre.sh #!/bin/bash set -o xtrace exec > /tmp/test exec 2>&1 export HOME=$DEBUG_REAL_HOME # Game identity FERAL_PREFS="$DEBUG_REAL_HOME/.local/share/feral-interactive" -- ;; esac # Set up (and back up) the game preferences files DATETIME=$( date +%Y-%d-%m-%H-%M ) echo "$DATETIME" >/tmp/f12017-bkp-dt GAME_PREFS_BKP="${FERAL_PREFS}/F1 2017.pts-$DATETIME-bkp" cp -r "$GAME_PREFS" "$GAME_PREFS_BKP" # clear previous runs rm -rf "${GAME_PREFS:?}"; fail pptpd-1.4.0-alt4.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/pptpd-1.4.0/tools/vpnuser: $ grep -A5 -B5 /tmp/ /usr/share/doc/pptpd-1.4.0/tools/vpnuser exit 1 fi ;; del) if [ "$(echo $2)" != "" ]; then grep -vw "$2" $config > /tmp/vpnblaat mv /tmp/vpnblaat $config chmod 600 $config else echo -e $ERROR exit 1 fi -- cat $config fi ;; domain) if [ "$(echo $2)" != "" ] & [ "$(echo $3)" != "" ]; then grep -vw "$2" $config > /tmp/vpnblaat DATA=`grep -w "$2" $config` mv /tmp/vpnblaat $config DOM=`echo $3 | tr a-z A-Z` dom=`echo $3 | tr A-Z a-z` echo "$DOM\\\\$DATA" >> $config echo "$dom\\\\$DATA" >> $config chmod 600 $config; fail rancid-2.3.8-alt2.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/rancid-2.3.8/getipacctg: $ grep -A5 -B5 /tmp/ /usr/share/doc/rancid-2.3.8/getipacctg # will display the top 25 for src or dst ip's within prefix # 192.168.0.0/24 # # Contributed to rancid by Steve Neighorn of SCN Reasearch. TMP="/tmp/ipacct.$$.prefixes" TMP2="/tmp/ipacct.$$.sorted" TMP3="/tmp/ipacct.$$.pl" if [ $# -eq 0 ] ; then echo "usage: getipacctg router_name [] [ [...]]" >&2 exit 1; fi trap 'rm -fr /tmp/ipacct.$$ $TMP $TMP2 $TMP3;' 1 2 15 clogin -c 'show ip accounting' $1 > /tmp/ipacct.$$ if [ $? -ne 0 ] ; then echo "clogin failed." >&2 exit 1 fi -- fi shift done 6>&- egrep '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ +[0-9]+\.[0-9]+\.' /tmp/ipacct.$$ | \ sed -e 's/^ *//' -e 's/ etc/ usr/ var/ /g' -e 's/.$//' | \ awk '{print $4":"$0;}' | sort -nr | \ sed -e 's/^[^:]*://' > $TMP2 if [ -s $TMP ] ; then -- perl $TMP3 $TMP $TMP2 | $HEAD else $HEAD $TMP2 fi rm -fr /tmp/ipacct.$$ $TMP $TMP2 $TMP3 trap ';' 1 2 15 exit 0; fail resource-agents-4.14.0-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/ocf/resource.d/heartbeat/rabbitmq-server-ha: $ grep -A5 -B5 /tmp/ /usr/lib/ocf/resource.d/heartbeat/rabbitmq-server-ha The debug flag for agent (${OCF_RESKEY_binary}) instance. In the /tmp/ directory will be created rmq-* files for log some operations and ENV values inside OCF-script. AMQP server (${OCF_RESKEY_binary}) debug flag -- local rc=$OCF_ERR_GENERIC local LH="${LL} monitor:" ocf_log debug "${LH} action start." if ocf_is_true "${OCF_RESKEY_debug}"; then d=`date '+%Y%m%d %H:%M:%S'` echo $d >> /tmp/rmq-monitor.log env >> /tmp/rmq-monitor.log echo "$d [monitor] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi get_monitor rc=$? ocf_log debug "${LH} role: ${OCF_RESKEY_CRM_meta_role}" ocf_log debug "${LH} result: $rc" -- local LH="${LL} start:" local nowtime if ocf_is_true "${OCF_RESKEY_debug}"; then d=`date '+%Y%m%d %H:%M:%S'` echo $d >> /tmp/rmq-start.log env >> /tmp/rmq-start.log echo "$d [start] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi ocf_log info "${LH} action begin." get_status -- local rc=$OCF_ERR_GENERIC local LH="${LL} stop:" if ocf_is_true "${OCF_RESKEY_debug}"; then d=$(date '+%Y%m%d %H:%M:%S') echo $d >> /tmp/rmq-stop.log env >> /tmp/rmq-stop.log echo "$d [stop] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi ocf_log info "${LH} action begin." ocf_log info "${LH} Deleting master attribute" -- local LH="${LL} notify:" local nodelist if ocf_is_true "${OCF_RESKEY_debug}"; then d=`date '+%Y%m%d %H:%M:%S'` echo $d >> /tmp/rmq-notify.log env >> /tmp/rmq-notify.log echo "$d [notify] ${OCF_RESKEY_CRM_meta_notify_type}-${OCF_RESKEY_CRM_meta_notify_operation} promote='${OCF_RESKEY_CRM_meta_notify_promote_uname}' demote='${OCF_RESKEY_CRM_meta_notify_demote_uname}' master='${OCF_RESKEY_CRM_meta_notify_master_uname}' slave='${OCF_RESKEY_CRM_meta_notify_slave_uname}' start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi if [ "${OCF_RESKEY_CRM_meta_notify_type}" = 'post' ] ; then # POST- anything notify section case "$OCF_RESKEY_CRM_meta_notify_operation" in -- local rc=$OCF_ERR_GENERIC local LH="${LL} promote:" if ocf_is_true "${OCF_RESKEY_debug}"; then d=$(date '+%Y%m%d %H:%M:%S') echo $d >> /tmp/rmq-promote.log env >> /tmp/rmq-promote.log echo "$d [promote] start='${OCF_RESKEY_CRM_meta_notify_start_uname}' stop='${OCF_RESKEY_CRM_meta_notify_stop_uname}' active='${OCF_RESKEY_CRM_meta_notify_active_uname}' inactive='${OCF_RESKEY_CRM_meta_notify_inactive_uname}'" >> /tmp/rmq-ocf.log fi ocf_log info "${LH} action begin." get_monitor; fail rpm-build-vm-checkinstall-1.75-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/vm-run.ci/checkinstall: $ grep -A5 -B5 /tmp/ /usr/lib/vm-run.ci/checkinstall # Bringing up secondary CPUs" message. ls -l /dev/kvm set | grep ^LD_ # Simulate filetrigger run find /boot > /tmp/filelist /usr/lib/rpm/posttrans-filetriggers /tmp/filelist rm /tmp/filelist # Remove trigger so it does not re-create '/tmp/vm-ext4.img'. > /usr/lib/rpm/z-vm-createimage.filetrigger kvm-ok timeout 300 vm-run --heredoc <<-'EOF' uname -a -- ! timeout --preserve-status 300 vm-run "true; false; true" || exit 1 timeout 300 vm-run --mem=max free -g timeout 300 vm-run --cpu=max lscpu df -h /tmp timeout 300 vm-run --tmp=max df -h /tmp rm /tmp/vm-tmpfs.qcow2 timeout 300 vm-run --verbose --overlay=ext4 uname -a rmdir /mnt/0 rm /usr/src/ext4.0.img timeout 300 vm-run --rootfs --verbose df rm /tmp/vm-ext4.img timeout 300 vm-run --hvc --no-quiet 'dmesg -r | grep -E "printk:( legacy)? console \[hvc0\] enabled"' timeout 300 vm-run --tcg --mem='' --cpu=1 cat /proc/cpuinfo if [ "$ALT_BRANCH_ID" = sisyphus ]; then rpm -qa PROVIDES=kernel-latest | grep '^kernel-image-' fi # Clean up without '-f' ensures these files existed. rm /tmp/initramfs-*-*-alt*.img # SCRIPT and exit code files form each vm-run invocation. Each SCRIPT file # should correspond to '.ret' file. find /tmp/vm.?????????? -maxdepth 0 | xargs -t -i -n1 rm {} {}.ret; fail rvm-devel-1.29.12.125-alt0.4.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/rvm/scripts/maglev: $ grep -A5 -B5 /tmp/ /usr/lib/rvm/scripts/maglev # put them in sysctl.conf so they are preserved. if [[ ! -f /etc/sysctl.conf ]] || (( $(__rvm_grep -sc "kern.*.shm" /etc/sysctl.conf) == 0 )) then case "$system" in Linux) echo "# kernel.shm* settings added by MagLev installation" > /tmp/sysctl.conf.$$ echo "kernel.shmmax=$(\command \cat /proc/sys/kernel/shmmax)" >> /tmp/sysctl.conf.$$ echo "kernel.shmall=$(\command \cat /proc/sys/kernel/shmall)" >> /tmp/sysctl.conf.$$ ;; Darwin) # On Mac OS X Leopard, you must have all five settings in sysctl.conf # before they will take effect. echo "# kern.sysv.shm* settings added by MagLev installation" > /tmp/sysctl.conf.$$ sysctl kern.sysv.shmmax kern.sysv.shmall kern.sysv.shmmin kern.sysv.shmmni \ kern.sysv.shmseg | \command \tr ":" "=" | \command \tr -d " " >> /tmp/sysctl.conf.$$ ;; SunOS) # Do nothing in SunOS since /etc/sysctl.conf is ignored on Solaris 10. # Must configure shared memory settings manually. ;; -- # Do nothing on SunOS since /etc/sysctl.conf is ignored on Solaris 10. if [[ "$system" != "SunOS" ]] then rvm_log "Adding the following section to /etc/sysctl.conf" \command \cat /tmp/sysctl.conf.$$ __rvm_try_sudo bash -c "\command \cat /tmp/sysctl.conf.$$ >> /etc/sysctl.conf" /bin/\command \rm -f /tmp/sysctl.conf.$$ fi else rvm_log "The following shared memory settings already exist in /etc/sysctl.conf" echo "To change them, remove the following lines from /etc/sysctl.conf and rerun this script" __rvm_grep "kern.*.shm" /etc/sysctl.conf; fail scanbuttond-0.2.3-alt4.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /etc/scanbuttond/buttonpressed.sh: $ grep -A5 -B5 /tmp/ /etc/scanbuttond/buttonpressed.sh # $1 ... the button number # $2 ... the scanner's SANE device name, which comes in handy if there are two or # more scanners. In this case we can pass the device name to SANE programs # like scanimage. TMPFILE="/tmp/scan.tiff" LOCKFILE="/tmp/copy.lock" case $1 in 1) echo "button 1 has been pressed on $2" -- # echo "Error: Another scanning operation is currently in progress" # exit # fi # touch $LOCKFILE # rm -f $TMPFILE scanimage --device-name $2 -x 215 -y 297 1> /tmp/image.pnm A= gimp /tmp/image.pnm # tiff2ps -z -w 8.27 -h 11.69 $TMPFILE | lpr # rm -f $LOCKFILE # ;; 2) echo "button 2 has been pressed on $2" scanimage --device-name $2 -x 215 -y 297 1> /tmp/image.pnm lpr /tmp/image.pnm ;; 3) echo "button 3 has been pressed on $2" scanimage --device-name $2 -x 215 -y 297 1> /tmp/image.pnm A= evolution mailto:?attach=/tmp/image.pnm ;; 4) echo "button 4 has been pressed on $2" ;; esac; fail select-kernel-0.99.2-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/sbin/select-kernel: $ grep -A5 -B5 /tmp/ /usr/sbin/select-kernel message() { printf %s\\n "$PROG: $*" >&2 } debug() { echo "$@" >> /tmp/$PROG.dbg } show_help() { cat << EOF -- yes= numeric= RELEASE=. FLAVOUR=. CACHE=/tmp/$PROG.$$ trap "rm -f $CACHE" EXIT SIGHUP SIGINT SIGQUIT SIGTERM while [ -n "$1" ]; do if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then show_help; fail spdk-23.09-alt1.1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/libexec/spdk/scripts/spdx.sh: $ grep -A5 -B5 /tmp/ /usr/libexec/spdk/scripts/spdx.sh etc usr THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT etc usr (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE etc usr OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. etc/ usr/ END ) > /tmp/c.txt ( cat << 'END' # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions -- # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # END ) > /tmp/makefile.txt function get_sha() { sha= start=$(cat -n $1 | grep "Redistribution and use" | awk '{print $1}') end=$(cat -n $1 | grep "POSSIBILITY OF SUCH DAMAGE" | head -1 | awk '{print $1}') -- fi count=$((end - start + 1)) sha=$(sed -n "${start},+${count}p" $1 | sha1sum | awk '{print $1}') } intel_c_sha=$(sed 's/__COMPANY__/Intel Corporation/g' /tmp/c.txt | sha1sum | awk '{print $1}') nvidia_c_sha=$(sed 's/__COMPANY__/Nvidia Corporation/g' /tmp/c.txt | sha1sum | awk '{print $1}') samsung_c_sha=$(sed 's/__COMPANY__/Samsung Electronics Co., Ltd./g' /tmp/c.txt | sha1sum | awk '{print $1}') eideticom_c_sha=$(sed 's/__COMPANY__/Eideticom Inc/g' /tmp/c.txt | sha1sum | awk '{print $1}') generic_c_sha=$(sed 's/__COMPANY__/the copyright holder/g' /tmp/c.txt | sha1sum | awk '{print $1}') for f in $(git ls-files '**/*.c' '**/*.cpp' '**/*.h' '**/*.cc' '**/*.go'); do get_sha $f if [[ $sha == "$intel_c_sha" ]] \ || [[ $sha == "$nvidia_c_sha" ]] \ -- sed -i '1 i /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var SPDX-License-Identifier: BSD-3-Clause' $f fi done intel_makefile_sha=$(sed 's/__COMPANY__/Intel Corporation/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') nvidia_makefile_sha=$(sed 's/__COMPANY__/Nvidia Corporation/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') samsung_makefile_sha=$(sed 's/__COMPANY__/Samsung Electronics Co., Ltd./g' /tmp/makefile.txt | sha1sum | awk '{print $1}') eideticom_makefile_sha=$(sed 's/__COMPANY__/Eideticom Inc/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') generic_makefile_sha=$(sed 's/__COMPANY__/the copyright holder/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') for f in $(git ls-files CONFIG MAKEFILE '**/*.mk' '**/Makefile'); do get_sha $f if [[ $sha == "$intel_makefile_sha" ]] \ || [[ $sha == "$nvidia_makefile_sha" ]] \; fail startup-rescue-0.50-alt2.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /etc/rc.d/rc.sysinit.rescue: $ grep -A5 -B5 /tmp/ /etc/rc.d/rc.sysinit.rescue # Ensure plymouth is not running killall plymouthd >/dev/null 2>&1 remount_aufs() { [ -d "$1" ] || return 0 mkdir -p -- "/tmp/root$1" mount -n -t aufs -o dirs="/tmp/root$1=rw:$1=ro" "/tmp/root$1" "$1" } # Avoid double-aufs/overlayfs attempt if ! grep -qE "^overlay|/ aufs" /proc/mounts; then for mpoint in /etc /var /lib /bin /sbin /home /root /mnt; do -- action "Mounting efivars filesystem:" mount -t efivarfs none /sys/firmware/efi/efivars fi # run tmpfiles.d scripts if systemd_tmpfiles="$(find_util systemd-tmpfiles)"; then "$systemd_tmpfiles" --clean >/tmp/tmpfiles.log 2>&1 "$systemd_tmpfiles" --remove --create --boot --exclude-prefix=/dev >>/tmp/tmpfiles.log 2>&1 fi # Recover mdadm.conf if it's been changed above if [ -s "$MDCONF" ]; then sed -i 's,^DEVICE /dev/null,DEVICE partitions,' "$MDCONF"; fail systemd-tests-255.18-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/systemd/tests/testdata/units/testsuite-82.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-82.sh test "$(systemctl show -P ActiveState testsuite-82-survive-argv.service)" = "active" test "$(systemctl show -P ActiveState testsuite-82-nosurvive-sigterm.service)" != "active" test "$(systemctl show -P ActiveState testsuite-82-nosurvive.service)" != "active" # This time we test the /run/nextroot/ root switching logic. (We synthesize a new rootfs from the old via overlayfs) mkdir -p /run/nextroot /tmp/nextroot-lower /original-root mount -t tmpfs tmpfs /tmp/nextroot-lower echo miep >/tmp/nextroot-lower/lower # Copy os-release away, so that we can manipulate it and check that it is updated in the propagate # directory across soft reboots. Try to cover corner cases by truncating it. mkdir -p /tmp/nextroot-lower/etc grep ID /etc/os-release >/tmp/nextroot-lower/etc/os-release echo MARKER=1 >>/tmp/nextroot-lower/etc/os-release cmp /etc/os-release /run/systemd/propagate/.os-release-stage/os-release (! grep -q MARKER=1 /etc/os-release) mount -t overlay nextroot /run/nextroot -o lowerdir=/tmp/nextroot-lower:/,ro # Bind our current root into the target so that we later can return to it mount --bind / /run/nextroot/original-root # Restart the unit that is not supposed to survive Found error in /usr/lib/systemd/tests/testdata/units/testsuite-81.system-update-generator.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-81.system-update-generator.sh # shellcheck source=test/units/generator-utils.sh . "$(dirname "$0")/generator-utils.sh" GENERATOR_BIN="/usr/lib/systemd/system-generators/systemd-system-update-generator" OUT_DIR="$(mktemp -d /tmp/system-update-generator-generator.XXX)" at_exit() { rm -frv "${OUT_DIR:?}" /system-update } -- link_endswith "$OUT_DIR/early/default.target" "/lib/systemd/system/system-update.target" : "system-update-generator: kernel cmdline warnings" # We should warn if the default target is overridden on the kernel cmdline # by a runlevel or systemd.unit=, but still generate the symlink SYSTEMD_PROC_CMDLINE="systemd.unit=foo.bar 3" run_and_list "$GENERATOR_BIN" "$OUT_DIR" |& tee /tmp/system-update-generator.log link_endswith "$OUT_DIR/early/default.target" "/lib/systemd/system/system-update.target" grep -qE "Offline system update overridden .* systemd.unit=" /tmp/system-update-generator.log grep -qE "Offline system update overridden .* runlevel" /tmp/system-update-generator.log Found error in /usr/lib/systemd/tests/testdata/units/testsuite-81.getty-generator.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-81.getty-generator.sh # shellcheck source=test/units/generator-utils.sh . "$(dirname "$0")/generator-utils.sh" GENERATOR_BIN="/usr/lib/systemd/system-generators/systemd-getty-generator" OUT_DIR="$(mktemp -d /tmp/getty-generator.XXX)" at_exit() { rm -frv "${OUT_DIR:?}" } -- done # Sneak in one "not-a-tty" console touch /dev/notatty99 # Temporarily replace /sys/class/tty/console/active with our list of dummy # consoles so getty-generator can process them echo -ne "${DUMMY_ACTIVE_CONSOLES[@]}" /dev/notatty99 >/tmp/dummy-active-consoles mount -v --bind /tmp/dummy-active-consoles /sys/class/tty/console/active : "getty-generator: no arguments" # Sneak in an invalid value for $SYSTEMD_GETTY_AUTO to test things out PID1_ENVIRON="SYSTEMD_GETTY_AUTO=foo" run_and_list "$GENERATOR_BIN" "$OUT_DIR" for console in "${DUMMY_ACTIVE_CONSOLES[@]}"; do Found error in /usr/lib/systemd/tests/testdata/units/testsuite-80.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-80.sh set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh mkfifo /tmp/syncfifo1 /tmp/syncfifo2 sync_in() { read -r x < /tmp/syncfifo1 test "$x" = "$1" } sync_out() { echo "$1" > /tmp/syncfifo2 } export SYSTEMD_LOG_LEVEL=debug systemctl --no-block start notify.service -- assert_eq "$(systemctl show notify.service -p NotifyAccess --value)" "none" systemctl stop notify.service assert_eq "$(systemctl show notify.service -p NotifyAccess --value)" "all" rm /tmp/syncfifo1 /tmp/syncfifo2 # Now test basic fdstore behaviour MYSCRIPT="/tmp/myscript$RANDOM.sh" cat >> "$MYSCRIPT" <<'EOF' #!/usr/bin/env bash set -eux set -o pipefail test "$FDSTORE" -eq 7 N="/tmp/$RANDOM" echo $RANDOM > "$N" systemd-notify --fd=4 --fdname=quux --pid=parent 4< "$N" rm "$N" systemd-notify --ready exec sleep infinity -- MYUNIT="myunit$RANDOM.service" systemd-run -u "$MYUNIT" -p Type=notify -p FileDescriptorStoreMax=7 "$MYSCRIPT" test "$(systemd-analyze fdstore "$MYUNIT" | wc -l)" -eq 2 systemd-analyze fdstore "$MYUNIT" --json=short systemd-analyze fdstore "$MYUNIT" --json=short | grep -P -q '\[{"fdname":"quux","type":.*,"devno":\[.*\],"inode":.*,"rdevno":null,"path":"/tmp/.*","flags":"ro"}\]' systemctl stop "$MYUNIT" rm "$MYSCRIPT" systemd-analyze log-level debug Found error in /usr/lib/systemd/tests/testdata/units/testsuite-76.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-76.sh # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh export SYSTEMD_LOG_LEVEL=debug echo "foo.bar=42" >/tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl /tmp/foo.conf assert_rc 1 /usr/lib/systemd/systemd-sysctl --strict /tmp/foo.conf echo "-foo.foo=42" >/tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl /tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl --strict /tmp/foo.conf if ! systemd-detect-virt --quiet --container; then ip link add hoge type dummy udevadm wait /sys/class/net/hoge cat >/tmp/foo.conf </proc/sys/net/ipv4/conf/hoge/drop_gratuitous_arp echo 0 >/proc/sys/net/ipv4/conf/hoge/bootp_relay echo 0 >/proc/sys/net/ipv4/conf/hoge/disable_policy assert_rc 0 /usr/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/hoge /tmp/foo.conf assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/drop_gratuitous_arp)" "1" assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/bootp_relay)" "1" assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/disable_policy)" "0" fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-74.modules-load.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-74.modules-load.sh "$MODULES_LOAD_BIN" --version # Explicit config file modprobe -v --all --remove loop dummy printf "loop\ndummy" >"$CONFIG_FILE" "$MODULES_LOAD_BIN" "$CONFIG_FILE" |& tee /tmp/out.log grep -E "Inserted module .*loop" /tmp/out.log grep -E "Inserted module .*dummy" /tmp/out.log # Implicit config file modprobe -v --all --remove loop dummy printf "loop\ndummy" >"$CONFIG_FILE" "$MODULES_LOAD_BIN" |& tee /tmp/out.log grep -E "Inserted module .*loop" /tmp/out.log grep -E "Inserted module .*dummy" /tmp/out.log # Valid & invalid data mixed together modprobe -v --all --remove loop dummy cat >"$CONFIG_FILE" </tmp/core.redirected test -s /tmp/core.redirected coredumpctl dump -o /tmp/core.output "${CORE_TEST_BIN##*/}" test -s /tmp/core.output rm -f /tmp/core.{output,redirected} # Unprivileged stuff # Related issue: https://github.com/systemd/systemd/issues/26912 UNPRIV_CMD=(systemd-run --user --wait --pipe -M "testuser@.host" --) # Trigger a couple of coredumps as an unprivileged user -- "${UNPRIV_CMD[@]}" coredumpctl info "$CORE_TEST_UNPRIV_BIN" "${UNPRIV_CMD[@]}" coredumpctl info "${CORE_TEST_UNPRIV_BIN##*/}" (! "${UNPRIV_CMD[@]}" coredumpctl info --all "$CORE_TEST_BIN") (! "${UNPRIV_CMD[@]}" coredumpctl info --all "${CORE_TEST_BIN##*/}") # We should have a couple of externally stored coredumps "${UNPRIV_CMD[@]}" coredumpctl --field=COREDUMP_FILENAME | tee /tmp/coredumpctl.out grep "/var/lib/systemd/coredump/core" /tmp/coredumpctl.out rm -f /tmp/coredumpctl.out "${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true "$CORE_TEST_UNPRIV_BIN" "${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true --debugger-arguments="-this --does --not 'do anything' -a -t --all" "${CORE_TEST_UNPRIV_BIN##*/}" "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_UNPRIV_BIN" >/tmp/core.redirected test -s /tmp/core.redirected "${UNPRIV_CMD[@]}" coredumpctl dump -o /tmp/core.output "${CORE_TEST_UNPRIV_BIN##*/}" test -s /tmp/core.output rm -f /tmp/core.{output,redirected} (! "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_BIN" >/dev/null) # --backtrace mode # Pass one of the existing journal coredump records to systemd-coredump and # use our PID as the source to make matching the coredump later easier Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.pcrlock.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.pcrlock.sh # means we'll fail consistency check, but at least we'll fail them consistently # (as the PCR values simply won't match the log). rm -f /run/log/systemd/tpm2-measure.log # Ensure a truncated log doesn't crash pcrlock echo -n -e \\x1e >/tmp/borked set +e SYSTEMD_MEASURE_LOG_USERSPACE=/tmp/borked "$SD_PCRLOCK" cel --no-pager --json=pretty ret=$? set -e # If it crashes the exit code will be 149 test $ret -eq 1 -- PIN=huhu "$SD_PCRLOCK" make-policy --pcr="$PCRS" --recovery-pin=yes # Repeat immediately (this call will have to reuse the nvindex, rather than create it) "$SD_PCRLOCK" make-policy --pcr="$PCRS" "$SD_PCRLOCK" make-policy --pcr="$PCRS" --force img="/tmp/pcrlock.img" truncate -s 20M "$img" echo -n hoho >/tmp/pcrlockpwd chmod 0600 /tmp/pcrlockpwd cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$img" /tmp/pcrlockpwd systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key= --wipe-slot=tpm2 "$img" systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless systemd-cryptsetup detach pcrlock # Ensure systemd-pcrlock not crashing on empty variant directory mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d -- (! "$SD_PCRLOCK" lock-pe /bin/true) (! "$SD_PCRLOCK" lock-uki /dev/full) (! "$SD_PCRLOCK" lock-uki /bin/true) (! "$SD_PCRLOCK" lock-file-system "") rm "$img" /tmp/pcrlockpwd Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.measure.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.measure.sh if [[ ! -x "${SD_MEASURE:?}" ]]; then echo "$SD_MEASURE not found, skipping the test" exit 0 fi IMAGE="$(mktemp /tmp/systemd-measure-XXX.image)" echo HALLO >/tmp/tpmdata1 echo foobar >/tmp/tpmdata2 cat >/tmp/result </tmp/result.json </tmp/result </tmp/result.json </dev/null; then MEASURE_BANKS+=("--bank=sha1") fi # Sign current PCR state with it "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig" dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64 systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem" systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata # Invalidate PCR, decrypting should fail now tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 (! systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" >/dev/null) # Sign new PCR state, decrypting should work now. "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig2" systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata # Now, do the same, but with a cryptsetup binding truncate -s 20M "$IMAGE" cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Ensure that an unrelated signature, when not requested, is not used touch /run/systemd/tpm2-pcr-signature.json systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" "$IMAGE" # Reset and use the signature now rm -f /run/systemd/tpm2-pcr-signature.json systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" "$IMAGE" # Check if we can activate that (without the token module stuff) SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup detach test-volume2 # Check if we can activate that (and a second time with the token module stuff enabled) SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup detach test-volume2 # After extending the PCR things should fail tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1) (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1) # But once we sign the current PCRs, we should be able to unlock again "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig3" SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 systemd-cryptsetup detach test-volume2 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 systemd-cryptsetup detach test-volume2 # Test --append mode and de-duplication. With the same parameters signing should not add a new entry "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig3" >"/tmp/pcrsign.sig4" cmp "/tmp/pcrsign.sig3" "/tmp/pcrsign.sig4" # Sign one more phase, this should "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig4" >"/tmp/pcrsign.sig5" (! cmp "/tmp/pcrsign.sig4" "/tmp/pcrsign.sig5") # Should still be good to unlock, given the old entry still exists SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig5",headless=1 systemd-cryptsetup detach test-volume2 # Adding both signatures once more should not change anything, due to the deduplication "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig5" >"/tmp/pcrsign.sig6" "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig6" >"/tmp/pcrsign.sig7" cmp "/tmp/pcrsign.sig5" "/tmp/pcrsign.sig7" rm -f "$IMAGE" Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.cryptsetup.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.cryptsetup.sh } trap at_exit EXIT # Prepare a fresh disk image IMAGE="$(mktemp /tmp/systemd-cryptsetup-XXX.IMAGE)" truncate -s 20M "$IMAGE" echo -n passphrase >/tmp/passphrase # Change file mode to avoid "/tmp/passphrase has 0644 mode that is too permissive" messages chmod 0600 /tmp/passphrase cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Unlocking via keyfile systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto "$IMAGE" # Enroll unlock with default PCR policy PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto "$IMAGE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume -- systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume # Now the interesting part, enrolling using a hash value that doesn't match the current PCR value systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12 CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12) EXPECTED_PCR_VALUE=$(cat /tmp/pcr.dat /tmp/pcr.dat | openssl dgst -sha256 -r | cut -d ' ' -f 1) PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$IMAGE" (! systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1) tpm2_pcrextend "12:sha256=$CURRENT_PCR_VALUE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume # enroll TPM using device key instead of direct access, then verify unlock using TPM tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12 CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12) tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub systemd-analyze srk > /tmp/srk2.pub cmp /tmp/srk.pub /tmp/srk2.pub if [ -f /run/systemd/tpm2-srk-public-key.tpm2b_public ] ; then cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public fi # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS if openssl_supports_kdf SSKDF; then PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume fi rm -f /tmp/pcr.dat /tmp/srk.pub fi # Use default (0) seal key handle systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0 "$IMAGE" -- (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x02000001 "$IMAGE") # HMAC/loaded session (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x03000001 "$IMAGE") # Policy/saved session (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x40000001 "$IMAGE") # Permanent # Use non-SRK persistent seal key handle (by creating/persisting new key) PRIMARY=/tmp/primary.ctx tpm2_createprimary -c "$PRIMARY" PERSISTENT_LINE=$(tpm2_evictcontrol -c "$PRIMARY" | grep persistent-handle) PERSISTENT_HANDLE="0x${PERSISTENT_LINE##*0x}" tpm2_flushcontext -t -- systemd-cryptsetup detach test-volume # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS if openssl_supports_kdf SSKDF; then # Make sure that --tpm2-device-key= also works with systemd-repart tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub mkdir /tmp/dditest cat > /tmp/dditest/50-root.conf </tmp/cryptenroll.out systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out )} # There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it if [[ "$(uname -m)" == "ppc64le" ]]; then echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716" exit 0 fi export SYSTEMD_LOG_LEVEL=debug IMAGE="$(mktemp /tmp/systemd-cryptenroll-XXX.image)" truncate -s 20M "$IMAGE" echo -n password >/tmp/password # Change file mode to avoid "/tmp/password has 0644 mode that is too permissive" messages chmod 0600 /tmp/password cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/password # Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$IMAGE" NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE" NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE" for _ in {0..9}; do systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE" done PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$IMAGE" # Do some basic checks before we start wiping stuff systemd-cryptenroll "$IMAGE" systemd-cryptenroll "$IMAGE" | grep password -- (! systemd-cryptenroll "$IMAGE" | grep recovery) # We shouldn't be able to wipe all keyslots without enrolling a new key first (! systemd-cryptenroll "$IMAGE" --wipe=all) PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --password --wipe=all # Check if the newly (and only) enrolled password works (! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE") (! PASSWORD="" systemd-cryptenroll --recovery-key "$IMAGE") PASSWORD=foo systemd-cryptenroll --recovery-key "$IMAGE" systemd-cryptenroll --fido2-with-client-pin=false "$IMAGE" systemd-cryptenroll --fido2-with-user-presence=false "$IMAGE" systemd-cryptenroll --fido2-with-user-verification=false "$IMAGE" systemd-cryptenroll --tpm2-pcrs=8 "$IMAGE" systemd-cryptenroll --tpm2-pcrs=boot-loader-code+boot-loader-config "$IMAGE" (! systemd-cryptenroll --fido2-with-client-pin=false) (! systemd-cryptenroll --fido2-with-user-presence=f "$IMAGE" /tmp/foo) (! systemd-cryptenroll --fido2-with-client-pin=1234 "$IMAGE") (! systemd-cryptenroll --fido2-with-user-presence=1234 "$IMAGE") (! systemd-cryptenroll --fido2-with-user-verification=1234 "$IMAGE") (! systemd-cryptenroll --tpm2-with-pin=1234 "$IMAGE") (! systemd-cryptenroll --recovery-key --password "$IMAGE") (! systemd-cryptenroll --password --recovery-key "$IMAGE") (! systemd-cryptenroll --password --fido2-device=auto "$IMAGE") (! systemd-cryptenroll --password --pkcs11-token-uri=auto "$IMAGE") (! systemd-cryptenroll --password --tpm2-device=auto "$IMAGE") (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto "$IMAGE") (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock "$IMAGE") (! systemd-cryptenroll --fido2-credential-algorithm=es512 "$IMAGE") (! systemd-cryptenroll --tpm2-public-key-pcrs=key "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=key "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=44+8 "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=hello "$IMAGE") Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.creds.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.creds.sh set -o pipefail export SYSTEMD_LOG_LEVEL=debug # Ensure that sandboxing doesn't stop creds from being accessible echo "test" > /tmp/testdata systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2 # LoadCredentialEncrypted systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata # SetCredentialEncrypted systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata rm -f /tmp/testdata Found error in /usr/lib/systemd/tests/testdata/units/testsuite-68.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-68.sh ExecStart=sh -c "exit 0" EOF # Script to check that when an OnSuccess= dependency fires, the correct # MONITOR* env variables are passed. cat >/tmp/check_on_success.sh <<"EOF" #!/bin/sh set -ex env | sort if [ "$MONITOR_SERVICE_RESULT" != "success" ]; then -- exit 1 fi exit 0 EOF chmod +x /tmp/check_on_success.sh cat >/run/systemd/system/testservice-success-exit-handler-68.service </run/systemd/system/testservice-success-exit-handler-68-template@.service </tmp/check_on_failure.sh <<"EOF" #!/bin/sh set -ex env | sort if [ "$MONITOR_SERVICE_RESULT" != "exit-code" ]; then -- exit 1 fi exit 0 EOF chmod +x /tmp/check_on_failure.sh cat >/run/systemd/system/testservice-failure-exit-handler-68.service </run/systemd/system/testservice-failure-exit-handler-68-template@.service </tmp/out1 chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2 diff /tmp/out{1,2} fi # verify mkdir -p /tmp/img/usr/lib/systemd/system/ mkdir -p /tmp/img/opt/ touch /tmp/img/opt/script0.sh chmod +x /tmp/img/opt/script0.sh cat </tmp/img/usr/lib/systemd/system/testfile.service [Service] ExecStart = /opt/script0.sh EOF set +e # Default behaviour is to recurse through all dependencies when unit is loaded (! systemd-analyze verify --root=/tmp/img/ testfile.service) # As above, recurses through all dependencies when unit is loaded (! systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service) # Recurses through unit file and its direct dependencies when unit is loaded (! systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service) set -e # zero exit status since dependencies are ignored when unit is loaded systemd-analyze verify --recursive-errors=no --root=/tmp/img/ testfile.service rm /tmp/img/usr/lib/systemd/system/testfile.service cat </tmp/testfile.service [Unit] foo = bar [Service] ExecStart = echo hello EOF cat </tmp/testfile2.service [Unit] Requires = testfile.service [Service] ExecStart = echo hello EOF # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded systemd-analyze verify --recursive-errors=no /tmp/testfile2.service set +e # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded (! systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service) set -e rm /tmp/testfile.service rm /tmp/testfile2.service cat </tmp/sample.service [Unit] Description = A Sample Service [Service] ExecStart = echo hello Slice=support.slice EOF # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded systemd-analyze verify --recursive-errors=no /tmp/sample.service cat </tmp/testfile.service [Service] ExecStart = echo hello DeviceAllow=/dev/sda EOF # Prevent regression from #13380 and #20859 where we can't verify hidden files cp /tmp/testfile.service /tmp/.testfile.service systemd-analyze verify /tmp/.testfile.service rm /tmp/.testfile.service # Alias a unit file's name on disk (see #20061) cp /tmp/testfile.service /tmp/testsrvc (! systemd-analyze verify /tmp/testsrvc) systemd-analyze verify /tmp/testsrvc:alias.service # Zero exit status since the value used for comparison determine exposure to security threats is by default 100 systemd-analyze security --offline=true /tmp/testfile.service #The overall exposure level assigned to the unit is greater than the set threshold (! systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service) # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185 systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda" rm /tmp/testfile.service cat </tmp/img/usr/lib/systemd/system/testfile.service [Service] ExecStart = echo hello PrivateNetwork = yes PrivateDevices = yes PrivateUsers = yes EOF # The new overall exposure level assigned to the unit is less than the set thresholds # Verifies that the --offline= option works with --root= systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service cat </tmp/foo@.service [Service] ExecStart=ls EOF cat </tmp/hoge@test.service [Service] ExecStart=ls EOF # issue #30357 -- systemd-analyze verify tmp/hoge@test.service (! systemd-analyze verify tmp/hoge@nonexist.service) (! systemd-analyze verify tmp/hoge@.service) popd pushd /usr systemd-analyze verify ../tmp/foo@bar.service systemd-analyze verify ../tmp/foo@.service systemd-analyze verify ../tmp/hoge@test.service (! systemd-analyze verify ../tmp/hoge@nonexist.service) (! systemd-analyze verify ../tmp/hoge@.service) popd systemd-analyze verify /tmp/foo@bar.service systemd-analyze verify /tmp/foo@.service systemd-analyze verify /tmp/hoge@test.service (! systemd-analyze verify /tmp/hoge@nonexist.service) (! systemd-analyze verify /tmp/hoge@.service) # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure # level for the unit file should decrease to account for that increased weight. cat </tmp/testfile.json {"UserOrDynamicUser": {"description_bad": "Service runs as root user", "weight": 0, "range": 10 }, -- } EOF # Reads in custom security requirements from the parsed .json file and uses these for comparison systemd-analyze security --threshold=90 --offline=true \ --security-policy=/tmp/testfile.json \ --root=/tmp/img/ testfile.service # The strict profile adds a lot of sanboxing options systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=strict \ --root=/tmp/img/ testfile.service # The trusted profile doesn't add any sanboxing options (! systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \ --root=/tmp/img/ testfile.service) (! systemd-analyze security --threshold=50 --offline=true \ --security-policy=/tmp/testfile.json \ --root=/tmp/img/ testfile.service) rm /tmp/img/usr/lib/systemd/system/testfile.service if systemd-analyze --version | grep -q -F "+ELFUTILS"; then systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"' fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-63.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-63.sh systemctl log-level debug # Test that a path unit continuously triggering a service that fails condition checks eventually fails with # the trigger-limit-hit error. rm -f /tmp/nonexistent systemctl start test63.path touch /tmp/test63 # Make sure systemd has sufficient time to hit the trigger limit for test63.path. # shellcheck disable=SC2016 timeout 30 bash -c 'until test "$(systemctl show test63.path -P ActiveState)" = failed; do sleep .2; done' test "$(systemctl show test63.service -P ActiveState)" = inactive test "$(systemctl show test63.service -P Result)" = success test "$(systemctl show test63.path -P Result)" = trigger-limit-hit # Test that starting the service manually doesn't affect the path unit. rm -f /tmp/test63 systemctl reset-failed systemctl start test63.path systemctl start test63.service test "$(systemctl show test63.service -P ActiveState)" = inactive test "$(systemctl show test63.service -P Result)" = success test "$(systemctl show test63.path -P ActiveState)" = active test "$(systemctl show test63.path -P Result)" = success # Test that glob matching works too, with $TRIGGER_PATH systemctl start test63-glob.path touch /tmp/test63-glob-foo timeout 60 bash -c 'until systemctl -q is-active test63-glob.service; do sleep .2; done' test "$(systemctl show test63-glob.service -P ActiveState)" = active test "$(systemctl show test63-glob.service -P Result)" = success test "$(busctl --json=short get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/test63_2dglob_2eservice org.freedesktop.systemd1.Unit ActivationDetails)" = '{"type":"a(ss)","data":[["trigger_unit","test63-glob.path"],["trigger_path","/tmp/test63-glob-foo"]]}' systemctl stop test63-glob.path test63-glob.service test "$(busctl --json=short get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/test63_2dglob_2eservice org.freedesktop.systemd1.Unit ActivationDetails)" = '{"type":"a(ss)","data":[]}' # tests for issue https://github.com/systemd/systemd/issues/24577#issuecomment-1522628906 rm -f /tmp/hoge systemctl start test63-issue-24577.path systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_not_in "test63-issue-24577.service" "$output" assert_not_in "test63-issue-24577-dep.service" "$output" touch /tmp/hoge systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_in "test63-issue-24577.service" "$output" -- systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_in "test63-issue-24577.service" "$output" assert_in "test63-issue-24577-dep.service" "$output" rm -f /tmp/hoge systemctl stop test63-issue-24577.service systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) -- assert_in "test63-issue-24577-dep.service" "$output" # Test for race condition fixed by https://github.com/systemd/systemd/pull/30768 # Here's the schedule of events that we to happen during this test: # (This test) (The service) # .path unit monitors /tmp/copyme for changes # Take lock on /tmp/noexeit ↓ # Write to /tmp/copyme ↓ # Wait for deactivating Started # ↓ Copies /tmp/copyme to /tmp/copied # ↓ Tells manager it's shutting down # Ensure service did the copy Tries to lock /tmp/noexit and blocks # Write to /tmp/copyme ↓ # # Now at this point the test can diverge. If we regress, this second write is # missed and we'll see: # ... (second write) ... (blocked) # Drop lock on /tmp/noexit ↓ # Wait for service to do copy Unblocks and exits # ↓ (dead) # ↓ # (timeout) # Test fails # # Otherwise, we'll see: # ... (second write) ... (blocked) # Drop lock on /tmp/noexit ↓ and .path unit queues a new start job # Wait for service to do copy Unblocks and exits # ↓ Starts again b/c of queued job # ↓ Copies again # Test Passes systemctl start test63-pr-30768.path exec {lock}<>/tmp/noexit flock -e $lock echo test1 > /tmp/copyme # shellcheck disable=SC2016 timeout 30 bash -c 'until test "$(systemctl show test63-pr-30768.service -P ActiveState)" = deactivating; do sleep .2; done' diff /tmp/copyme /tmp/copied echo test2 > /tmp/copyme exec {lock}<&- timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied >/dev/null; do sleep .2; done' systemctl log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/testsuite-54.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-54.sh # Sanity checks # # Create a dummy "full" disk (similar to /dev/full) to check out-of-space # scenarios mkdir /tmp/full mount -t tmpfs -o size=1,nr_inodes=1 tmpfs /tmp/full # verb: setup # Run this first, otherwise any encrypted credentials wouldn't be decryptable # as we regenerate the host key rm -fv /var/lib/systemd/credential.secret -- echo foo >"$CRED_DIR/insecure" echo foo | systemd-creds --name="encrypted" encrypt - "$ENC_CRED_DIR/encrypted" echo foo | systemd-creds encrypt - "$ENC_CRED_DIR/encrypted-unnamed" chmod -R 0400 "$CRED_DIR" "$ENC_CRED_DIR" chmod -R 0444 "$CRED_DIR/insecure" mkdir /tmp/empty/ systemd-creds --system systemd-creds --no-pager --help systemd-creds --version systemd-creds has-tpm2 || : -- systemd-creds list --system ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --no-legend ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=pretty | jq ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=short | jq ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=off ENCRYPTED_CREDENTIALS_DIRECTORY="/tmp/empty/" CREDENTIALS_DIRECTORY="/tmp/empty/" systemd-creds list # verb: cat for cred in secure-or-weak insecure encrypted encrypted-unnamed; do ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds cat "$cred" done -- run_with_cred_compare "mycred:68656c6c6f0a776f726c64" "hello\nworld" --transcode=unhex cat mycred run_with_cred_compare 'mycred:{ "foo" : "bar", "baz" : [ 3, 4 ] }' '{"foo":"bar","baz":[3,4]}\n' --json=short cat mycred systemd-run -p SetCredential='mycred:{ "foo" : "bar", "baz" : [ 3, 4 ] }' --wait --pipe -- systemd-creds --json=pretty cat mycred | jq # verb: encrypt/decrypt echo "According to all known laws of aviation..." >/tmp/cred.orig systemd-creds --with-key=host encrypt /tmp/cred.orig /tmp/cred.enc systemd-creds decrypt /tmp/cred.enc /tmp/cred.dec diff /tmp/cred.orig /tmp/cred.dec rm -f /tmp/cred.{enc,dec} # --pretty cred_name="fo'''o''bar" cred_option="$(systemd-creds --pretty --name="$cred_name" encrypt /tmp/cred.orig -)" mkdir -p /run/systemd/system cat >/run/systemd/system/test-54-pretty-cred.service </tmp/ts54-concat (cat /etc/passwd /etc/shadow && echo -n wuff) | cmp /tmp/ts54-concat rm /tmp/ts54-concat # Test that SetCredential= acts as fallback for LoadCredential= echo piff >/tmp/ts54-fallback [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ] rm /tmp/ts54-fallback [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ] if systemd-detect-virt -q -c ; then expected_credential=mynspawncredential expected_value=strangevalue elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then -- # Verify that creating a user via sysusers via the kernel cmdline worked grep -q ^credtestuser: /etc/passwd # Verify that writing a file via tmpfiles worked [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ] [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ] [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ] else echo "qemu_fw_cfg support missing in kernel. Sniff!" expected_credential="" -- --unit=test-54-immutable-rm.service \ --wait \ rm '${CREDENTIALS_DIRECTORY}/passwd') # Check directory-based loading mkdir -p /tmp/ts54-creds/sub echo -n a >/tmp/ts54-creds/foo echo -n b >/tmp/ts54-creds/bar echo -n c >/tmp/ts54-creds/baz echo -n d >/tmp/ts54-creds/sub/qux systemd-run -p LoadCredential=cred:/tmp/ts54-creds \ -p DynamicUser=1 \ --unit=test-54-dir.service \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/cred_foo' \ '${CREDENTIALS_DIRECTORY}/cred_bar' \ '${CREDENTIALS_DIRECTORY}/cred_baz' \ '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abcd) rm /tmp/ts54-concat rm -rf /tmp/ts54-creds # Check that globs work as expected mkdir -p /run/credstore echo -n a >/run/credstore/test.creds.first echo -n b >/run/credstore/test.creds.second -- -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test.creds.first' \ '${CREDENTIALS_DIRECTORY}/test.creds.second' \ '${CREDENTIALS_DIRECTORY}/test.creds.third' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abc) # Now test encrypted credentials (only supported when built with OpenSSL though) if systemctl --version | grep -q -- +OPENSSL ; then echo -n $RANDOM >/tmp/test-54-plaintext systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext echo -n $RANDOM >/tmp/test-54-plaintext systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext rm /tmp/test-54-plaintext /tmp/test-54-ciphertext fi # https://github.com/systemd/systemd/issues/27275 systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \ -p 'ExecStartPre=true' \ Found error in /usr/lib/systemd/tests/testdata/units/testsuite-50.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-50.sh RemainAfterExit=yes MountAPIVFS=yes PrivateTmp=yes ExecStart=/bin/sh -c ' \\ systemd-notify --ready; \\ while [ ! -f /tmp/img/usr/lib/os-release ] || ! grep -q -F MARKER /tmp/img/usr/lib/os-release; do \\ sleep 0.1; \\ done; \\ mount; \\ mount | grep -F "on /tmp/img type squashfs" | grep -q -F "nosuid"; \\ ' EOF systemctl start testservice-50d.service # Mount twice to exercise mount-beneath (on kernel 6.5+, on older kernels it will just overmount) mkdir -p /tmp/wrong/foo mksquashfs /tmp/wrong/foo /tmp/wrong.raw systemctl mount-image --mkdir testservice-50d.service /tmp/wrong.raw /tmp/img test "$(systemctl show -P SubState testservice-50d.service)" = "running" systemctl mount-image --mkdir testservice-50d.service "${image}.raw" /tmp/img root:nosuid while systemctl show -P SubState testservice-50d.service | grep -q running do sleep 0.1 done -- rm /var/lib/extensions/app-nodistro.raw mkdir -p /run/machines /run/portables /run/extensions touch /run/machines/a.raw /run/portables/b.raw /run/extensions/c.raw systemd-dissect --discover --json=short >/tmp/discover.json grep -q -F '{"name":"a","type":"raw","class":"machine","ro":false,"path":"/run/machines/a.raw"' /tmp/discover.json grep -q -F '{"name":"b","type":"raw","class":"portable","ro":false,"path":"/run/portables/b.raw"' /tmp/discover.json grep -q -F '{"name":"c","type":"raw","class":"sysext","ro":false,"path":"/run/extensions/c.raw"' /tmp/discover.json rm /tmp/discover.json /run/machines/a.raw /run/portables/b.raw /run/extensions/c.raw # Check that the /sbin/mount.ddi helper works T="/tmp/mounthelper.$RANDOM" mount -t ddi "${image}.gpt" "$T" -o ro,X-mount.mkdir,discard umount -R "$T" rmdir "$T" LOOP="$(systemd-dissect --attach --loop-ref=waldo "${image}.raw")" -- (! /etc/testscript) systemd-confext status systemd-confext unmerge rm -rf /run/confexts/ unsquashfs -no-xattrs -d /tmp/img "${image}.raw" systemd-run --unit=test-root-ephemeral \ -p RootDirectory=/tmp/img \ -p RootEphemeral=yes \ -p Type=exec \ bash -c "touch /abc && sleep infinity" test -n "$(ls -A /var/lib/systemd/ephemeral-trees)" systemctl stop test-root-ephemeral # shellcheck disable=SC2016 timeout 10 bash -c 'until test -z "$(ls -A /var/lib/systemd/ephemeral-trees)"; do sleep .5; done' test ! -f /tmp/img/abc systemd-dissect --mtree /tmp/img systemd-dissect --list /tmp/img read -r SHA256SUM1 _ < <(systemd-dissect --copy-from /tmp/img etc/os-release | sha256sum) test "$SHA256SUM1" != "" echo abc > abc systemd-dissect --copy-to /tmp/img abc /abc test -f /tmp/img/abc # Test for dissect tool support with systemd-sysext mkdir -p /run/extensions/ testkit/usr/lib/extension-release.d/ echo "ID=_any" >testkit/usr/lib/extension-release.d/extension-release.testkit echo "ARCHITECTURE=_any" >>testkit/usr/lib/extension-release.d/extension-release.testkit -- rm /var/lib/extensions/app-reload.raw # Test systemd-repart --make-ddi=: if command -v mksquashfs >/dev/null 2>&1; then openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout /tmp/test-50-privkey.key -out /tmp/test-50-cert.crt mkdir -p /tmp/test-50-confext/etc/extension-release.d/ echo "foobar50" > /tmp/test-50-confext/etc/waldo ( grep -e '^$ID\|VERSION_ID$=' /etc/os-release ; echo IMAGE_ID=waldo ; echo IMAGE_VERSION=7 ) > /tmp/test-50-confext/etc/extension-release.d/extension-release.waldo mkdir -p /run/confexts SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs systemd-repart -C -s /tmp/test-50-confext --certificate=/tmp/test-50-cert.crt --private-key=/tmp/test-50-privkey.key /run/confexts/waldo.confext.raw rm -rf /tmp/test-50-confext mkdir -p /run/verity.d cp /tmp/test-50-cert.crt /run/verity.d/ systemd-dissect --mtree /run/confexts/waldo.confext.raw systemd-confext refresh read -r X < /etc/waldo -- systemd-confext refresh (! test -f /etc/waldo ) mkdir -p /tmp/test-50-sysext/usr/lib/extension-release.d/ # Make sure the sysext is big enough to not fit in the minimum partition size of repart so we know the # Minimize= logic is working. truncate --size=50M /tmp/test-50-sysext/usr/waldo ( grep -e '^$ID\|VERSION_ID$=' /etc/os-release ; echo IMAGE_ID=waldo ; echo IMAGE_VERSION=7 ) > /tmp/test-50-sysext/usr/lib/extension-release.d/extension-release.waldo mkdir -p /run/extensions SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs systemd-repart -S -s /tmp/test-50-sysext --certificate=/tmp/test-50-cert.crt --private-key=/tmp/test-50-privkey.key /run/extensions/waldo.sysext.raw systemd-dissect --mtree /run/extensions/waldo.sysext.raw systemd-sysext refresh test -f /usr/waldo rm /run/verity.d/test-50-cert.crt /run/extensions/waldo.sysext.raw /tmp/test-50-cert.crt /tmp/test-50-privkey.key systemd-sysext refresh (! test -f /usr/waldo) fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-46.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-46.sh # filesystems, let's drop these fields before comparing the outputs to # avoid unexpected fails. To see the full outputs of both homectl & # userdbctl (for debugging purposes) drop the fields just before the # comparison. local USERNAME="${1:?}" homectl inspect "$USERNAME" | tee /tmp/a userdbctl user "$USERNAME" | tee /tmp/b # diff uses the grep BREs for pattern matching diff -I '^\s*Disk $Size\|Free\|Floor\|Ceiling\|Usage$:' /tmp/{a,b} rm /tmp/{a,b} homectl inspect --json=pretty "$USERNAME" } wait_for_state() { -- varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"uid":2000000,"service":"io.systemd.Multiplexer"}' (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"","service":"io.systemd.Multiplexer"}') (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"🐱","service":"io.systemd.Multiplexer"}') (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"i-do-not-exist","service":"io.systemd.Multiplexer"}') userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys grep "ssh-ed25519" /tmp/authorized-keys grep "ecdsa-sha2-nistp256" /tmp/authorized-keys echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys grep "ssh-ed25519" /tmp/authorized-keys grep "ecdsa-sha2-nistp256" /tmp/authorized-keys grep "my-top-secret-key 🐱" /tmp/authorized-keys (! userdbctl ssh-authorized-keys 🐱) (! userdbctl ssh-authorized-keys dropin-user --chain) (! userdbctl ssh-authorized-keys dropin-user --chain '') (! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false) Found error in /usr/lib/systemd/tests/testdata/units/testsuite-44.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-44.sh systemd-analyze log-level debug systemd-run --wait -p LogNamespace=foobar echo "hello world" journalctl --namespace=foobar --sync journalctl -o cat --namespace=foobar >/tmp/hello-world journalctl -o cat >/tmp/no-hello-world grep "^hello world$" /tmp/hello-world (! grep "^hello world$" /tmp/no-hello-world) systemd-analyze log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/testsuite-29.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-29.sh portablectl list | grep -q -F "No images." busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1 # portablectl also works with directory paths rather than images unsquashfs -dest /tmp/minimal_0 /usr/share/minimal_0.raw unsquashfs -dest /tmp/minimal_1 /usr/share/minimal_1.raw portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/minimal_0 minimal-app0 systemctl is-active minimal-app0.service systemctl is-active minimal-app0-foo.service systemctl is-active minimal-app0-bar.service && exit 1 portablectl "${ARGS[@]}" reattach --now --enable --runtime /tmp/minimal_1 minimal-app0 systemctl is-active minimal-app0.service systemctl is-active minimal-app0-bar.service systemctl is-active minimal-app0-foo.service && exit 1 portablectl list | grep -q -F "minimal_1" busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' portablectl detach --now --enable --runtime /tmp/minimal_1 minimal-app0 portablectl list | grep -q -F "No images." busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1 portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0 -- portablectl detach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0 # Ensure versioned images are accepted without needing to use --force to override the extension-release # matching cp /usr/share/app0.raw /tmp/app0_1.0.raw portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_0.raw app0 systemctl is-active app0.service status="$(portablectl is-attached --extension app0_1 minimal_0)" [[ "${status}" == "running-runtime" ]] portablectl detach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_1.raw app0 rm -f /tmp/app0_1.0.raw portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1 systemctl is-active app1.service status="$(portablectl is-attached --extension app1 minimal_0)" [[ "${status}" == "running-runtime" ]] # Ensure that adding or removing a version to the image doesn't break reattaching cp /usr/share/app1.raw /tmp/app1_2.raw portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app1_2.raw /usr/share/minimal_1.raw app1 systemctl is-active app1.service status="$(portablectl is-attached --extension app1_2 minimal_1)" [[ "${status}" == "running-runtime" ]] -- # after the service is attached before the file appears. grep -q -F bar "${STATE_DIRECTORY}/app0/foo" grep -q -F baz "${STATE_DIRECTORY}/app1/foo" # Ensure that we can override the check on extension-release.NAME cp /usr/share/app0.raw /tmp/app10.raw portablectl "${ARGS[@]}" attach --force --now --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 systemctl is-active app0.service status="$(portablectl is-attached --extension /tmp/app10.raw /usr/share/minimal_0.raw)" [[ "${status}" == "running-runtime" ]] portablectl inspect --force --cat --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /tmp/app10.raw" # Ensure that we can detach even when an image has been deleted already (stop the unit manually as # portablectl won't find it) rm -f /tmp/app10.raw systemctl stop app0.service portablectl detach --force --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 # portablectl also accepts confexts portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0 systemctl is-active app0.service -- portablectl detach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0 # portablectl also works with directory paths rather than images mkdir /tmp/rootdir /tmp/app0 /tmp/app1 /tmp/overlay /tmp/os-release-fix /tmp/os-release-fix/etc mount /usr/share/app0.raw /tmp/app0 mount /usr/share/app1.raw /tmp/app1 mount /usr/share/minimal_0.raw /tmp/rootdir # Fix up os-release to drop the valid PORTABLE_SERVICES field (because we are # bypassing the sysext logic in portabled here it will otherwise not see the # extensions additional valid prefix) grep -v "^PORTABLE_PREFIXES=" /tmp/rootdir/etc/os-release >/tmp/os-release-fix/etc/os-release mount -t overlay overlay -o lowerdir=/tmp/os-release-fix:/tmp/app1:/tmp/rootdir /tmp/overlay grep . /tmp/overlay/usr/lib/extension-release.d/* grep . /tmp/overlay/etc/os-release portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/overlay app1 systemctl is-active app1.service portablectl detach --now --runtime overlay app1 -- [Unit] Description=App 1 EOF systemctl daemon-reload portablectl "${ARGS[@]}" attach --force --copy=symlink --now --runtime /tmp/overlay app1 systemctl is-active app1.service portablectl detach --now --runtime overlay app1 umount /tmp/overlay portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 systemctl is-active app0.service systemctl is-active app1.service portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/rootdir/usr/lib/os-release portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app0/usr/lib/extension-release.d/extension-release.app0 portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app1/usr/lib/extension-release.d/extension-release.app2 portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app1/usr/lib/systemd/system/app1.service portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app0/usr/lib/systemd/system/app0.service grep -q -F "LogExtraFields=PORTABLE=app0" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_ROOT=rootdir" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf -- grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app1" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app_1" /run/systemd/system.attached/app1.service.d/20-portable.conf portablectl detach --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 # Attempt to disable the app unit during detaching. Requires --copy=symlink to reproduce. # Provides coverage for https://github.com/systemd/systemd/issues/23481 portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 # attach and detach again to check if all drop-in configs are removed even if the main unit files are removed portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 # The wrong file should be ignored, given the right one has the xattr set trap 'rm -rf /var/cache/wrongext' EXIT mkdir -p /var/cache/wrongext/usr/lib/extension-release.d /var/cache/wrongext/usr/lib/systemd/system/ echo "[Service]" > /var/cache/wrongext/usr/lib/systemd/system/app0.service touch /var/cache/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt cp /tmp/rootdir/usr/lib/os-release /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 setfattr -n user.extension-release.strict -v "false" /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 portablectl "${ARGS[@]}" attach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 status="$(portablectl is-attached --extension wrongext rootdir)" [[ "${status}" == "attached-runtime" ]] portablectl detach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 umount /tmp/rootdir umount /tmp/app0 umount /tmp/app1 # Lack of ID field in os-release should be rejected, but it caused a crash in the past instead mkdir -p /tmp/emptyroot/usr/lib mkdir -p /tmp/emptyext/usr/lib/extension-release.d touch /tmp/emptyroot/usr/lib/os-release touch /tmp/emptyext/usr/lib/extension-release.d/extension-release.emptyext # Remote peer disconnected -> portabled crashed res="$(! portablectl attach --extension /tmp/emptyext /tmp/emptyroot 2> >(grep "Remote peer disconnected"))" test -z "${res}" touch /testok Found error in /usr/lib/systemd/tests/testdata/units/testsuite-24.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-24.sh at_exit() { set +e mountpoint -q /proc/cmdline && umount /proc/cmdline rm -f /etc/crypttab [[ -e /tmp/crypttab.bak ]] && cp -fv /tmp/crypttab.bak /etc/crypttab [[ -n "${STORE_LOOP:-}" ]] && losetup -d "$STORE_LOOP" [[ -n "${WORKDIR:-}" ]] && rm -rf "$WORKDIR" systemctl daemon-reload } -- cp "$IMAGE_DETACHED_KEYFILE2" /mnt/keyfile umount /mnt udevadm settle --timeout=30 # Prepare our test crypttab [[ -e /etc/crypttab ]] && cp -fv /etc/crypttab /tmp/crypttab.bak cat >/etc/crypttab </tmp/cmdline.tmp mount --bind /tmp/cmdline.tmp /proc/cmdline # Run the systemd-cryptsetup-generator once explicitly, to collect coverage, # as during daemon-reload we run generators in a sandbox mkdir -p /tmp/systemd-cryptsetup-generator.out /usr/lib/systemd/system-generators/systemd-cryptsetup-generator /tmp/systemd-cryptsetup-generator.out/ systemctl daemon-reload systemctl list-unit-files "systemd-cryptsetup@*" cryptsetup_start_and_check empty_key test -e "$IMAGE_EMPTY_KEYFILE_ERASE" Found error in /usr/lib/systemd/tests/testdata/units/testsuite-23.ExecStopPost.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-23.ExecStopPost.sh (! systemd-run --unit=exec2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \ -p ExecStopPost='/bin/touch /run/exec2' sh -c 'sleep 1; false') test -f /run/exec2 cat >/tmp/forking1.sh </tmp/forking2.sh </tmp/notify1.sh </tmp/testsuite-23.counter if [ "$counter" -eq 5 ] ; then systemctl kill --kill-whom=main -sUSR1 testsuite-23.service fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-22.03.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-22.03.sh # # Basic tests for types creating/writing files set -eux set -o pipefail rm -fr /tmp/{f,F,w} mkdir /tmp/{f,F,w} touch /tmp/file-owned-by-root # # 'f' # systemd-tmpfiles --create - </tmp/F/truncated echo "This should be truncated" >/tmp/F/truncated-with-content systemd-tmpfiles --create - </tmp/F/rw-fs/foo (! systemd-tmpfiles --create -) </tmp/F/rw-fs/foo (! systemd-tmpfiles --create -) < fails. (! systemd-tmpfiles --create -) < /tmp/C/3/f1 systemd-tmpfiles --create - </tmp/test19-exit-cgroup.sh < sleep sleep infinity & -- (sleep 1; \$1) & # process tree: systemd -> bash -> sleep sleep infinity EOF chmod +x /tmp/test19-exit-cgroup.sh # service should be stopped cleanly systemd-run --wait \ --unit=one \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup.sh 'systemctl stop one' # same thing with a truthy exec condition systemd-run --wait \ --unit=two \ --property="Type=notify" \ --property="ExitType=cgroup" \ --property="ExecCondition=true" \ /tmp/test19-exit-cgroup.sh 'systemctl stop two' # false exec condition: systemd-run should exit immediately with status code: 1 (! systemd-run --wait \ --unit=three \ --property="Type=notify" \ --property="ExitType=cgroup" \ --property="ExecCondition=false" \ /tmp/test19-exit-cgroup.sh) # service should exit uncleanly (main process exits with SIGKILL) (! systemd-run --wait \ --unit=four \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup.sh 'systemctl kill --signal 9 four') # Multiple level process tree, parent process exits quickly cat >/tmp/test19-exit-cgroup-parentless.sh < sleep sleep infinity & -- systemd-notify --ready # Run the stop/kill command after this bash process exits (sleep 1; \$1) & EOF chmod +x /tmp/test19-exit-cgroup-parentless.sh # service should be stopped cleanly systemd-run --wait \ --unit=five \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup-parentless.sh 'systemctl stop five' # service should still exit cleanly despite SIGKILL (the main process already exited cleanly) systemd-run --wait \ --unit=six \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup-parentless.sh 'systemctl kill --signal 9 six' systemd-analyze log-level info Found error in /usr/lib/systemd/tests/testdata/units/testsuite-15.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-15.sh testcase_symlink_dropin_directory() { # For issue #21920. echo "Testing symlink drop-in directory..." create_services test15-a rmdir /{etc,run,usr/lib}/systemd/system/test15-a.service.d mkdir -p /tmp/testsuite-15-test15-a-dropin-directory ln -s /tmp/testsuite-15-test15-a-dropin-directory /etc/systemd/system/test15-a.service.d cat >/tmp/testsuite-15-test15-a-dropin-directory/override.conf </tmp/cred.path systemd-nspawn --directory="$root" \ --load-credential=cred.path:/tmp/cred.path \ --set-credential="cred.set:hello world" \ bash -xec '[[ "$(/tmp/bind systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/bind \ bash -c 'test -e /tmp/bind' rm -fr "$root" /tmp/bind } testcase_norbind() { # https://github.com/systemd/systemd/issues/13170 local root root="$(mktemp -d /var/lib/machines/testsuite-13.norbind-path.XXX)" mkdir -p /tmp/binddir/subdir echo -n "outer" >/tmp/binddir/subdir/file mount -t tmpfs tmpfs /tmp/binddir/subdir echo -n "inner" >/tmp/binddir/subdir/file create_dummy_container "$root" systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/binddir:/mnt:norbind \ bash -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; exit 1; fi' umount /tmp/binddir/subdir rm -fr "$root" /tmp/binddir/ } rootidmap_cleanup() { local dir="${1:?}" -- local root cmd permissions local owner=1000 root="$(mktemp -d /var/lib/machines/testsuite-13.rootidmap-path.XXX)" # Create ext4 image, as ext4 supports idmapped-mounts. mkdir -p /tmp/rootidmap/bind dd if=/dev/zero of=/tmp/rootidmap/ext4.img bs=4k count=2048 mkfs.ext4 /tmp/rootidmap/ext4.img mount /tmp/rootidmap/ext4.img /tmp/rootidmap/bind trap "rootidmap_cleanup /tmp/rootidmap/" RETURN touch /tmp/rootidmap/bind/file chown -R "$owner:$owner" /tmp/rootidmap/bind create_dummy_container "$root" cmd='PERMISSIONS=$(stat -c "%u:%g" /mnt/file); if [[ $PERMISSIONS != "0:0" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /mnt/other_file' if ! SYSTEMD_LOG_TARGET=console \ systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/rootidmap/bind:/mnt:rootidmap \ bash -c "$cmd" |& tee nspawn.out; then if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then echo "idmapped mounts are not supported, skipping the test..." return 0 fi return 1 fi permissions=$(stat -c "%u:%g" /tmp/rootidmap/bind/other_file) if [[ $permissions != "$owner:$owner" ]]; then echo "*** wrong permissions: $permissions" [[ "$IS_USERNS_SUPPORTED" == "yes" ]] && return 1 fi } -- create_dummy_container "$root" entrypoint="$root/entrypoint.sh" cat >"$entrypoint" <<\EOF #!/usr/bin/bash -ex . /tmp/os-release [[ -n "${ID:-}" && "$ID" != "$container_host_id" ]] && exit 1 [[ -n "${VERSION_ID:-}" && "$VERSION_ID" != "$container_host_version_id" ]] && exit 1 [[ -n "${BUILD_ID:-}" && "$BUILD_ID" != "$container_host_build_id" ]] && exit 1 [[ -n "${VARIANT_ID:-}" && "$VARIANT_ID" != "$container_host_variant_id" ]] && exit 1 -- echo MARKER=1 >>/etc/os-release fi systemd-nspawn --register=no \ --directory="$root" \ --bind="$os_release_source:/tmp/os-release" \ "${entrypoint##"$root"}" if grep -q MARKER /etc/os-release; then ln -svrf /usr/lib/os-release /etc/os-release fi -- rm -fr "$root" } testcase_machinectl_bind() { local service_path service_name root container_name ec local cmd='for i in $(seq 1 20); do if test -f /tmp/marker; then exit 0; fi; sleep .5; done; exit 1;' root="$(mktemp -d /var/lib/machines/testsuite-13.machinectl-bind.XXX)" create_dummy_container "$root" container_name="$(basename "$root")" -- ExecStart=systemd-nspawn --directory="$root" --notify-ready=no /usr/bin/bash -xec "$cmd" EOF systemctl daemon-reload systemctl start "$service_name" touch /tmp/marker machinectl bind --mkdir "$container_name" /tmp/marker timeout 10 bash -c "while [[ '\$(systemctl show -P SubState $service_name)' == running ]]; do sleep .2; done" ec="$(systemctl show -P ExecMainStatus "$service_name")" systemctl stop "$service_name" -- mkdir -p /run/systemd/nspawn/ rm -f "/etc/systemd/nspawn/$container_name.nspawn" cat >"/run/systemd/nspawn/$container_name.nspawn" <"/var/lib/machines/$NSPAWN_FRAGMENT" </tmp/fragment.nspawn </tmp/test-mainpid.sh <<\EOF #!/usr/bin/env bash set -eux set -o pipefail -- sleep infinity & disown echo $MAINPID >/run/mainpidsh/pid EOF chmod +x /tmp/test-mainpid.sh systemd-run --unit=test-mainpidsh.service \ -p StandardOutput=tty \ -p StandardError=tty \ -p Type=forking \ -p RuntimeDirectory=mainpidsh \ -p PIDFile=/run/mainpidsh/pid \ /tmp/test-mainpid.sh test "$(systemctl show -P MainPID test-mainpidsh.service)" -eq "$(cat /run/mainpidsh/pid)" cat >/tmp/test-mainpid2.sh <<\EOF #!/usr/bin/env bash set -eux set -o pipefail -- disown echo $MAINPID >/run/mainpidsh2/pid chown 1001:1001 /run/mainpidsh2/pid EOF chmod +x /tmp/test-mainpid2.sh systemd-run --unit=test-mainpidsh2.service \ -p StandardOutput=tty \ -p StandardError=tty \ -p Type=forking \ -p RuntimeDirectory=mainpidsh2 \ -p PIDFile=/run/mainpidsh2/pid \ /tmp/test-mainpid2.sh test "$(systemctl show -P MainPID test-mainpidsh2.service)" -eq "$(cat /run/mainpidsh2/pid)" cat >/dev/shm/test-mainpid3.sh </tmp/output [[ $(wc -l /dev/null # -b always behaves like -b0 journalctl -q -b-1 -b0 | head -1 >/tmp/expected journalctl -q -b-1 -b | head -1 >/tmp/output diff /tmp/expected /tmp/output # ... even when another option follows (both of these should fail due to -m) { journalctl -ball -b0 -m 2>&1 || :; } | head -1 >/tmp/expected { journalctl -ball -b -m 2>&1 || :; } | head -1 >/tmp/output diff /tmp/expected /tmp/output # https://github.com/systemd/systemd/issues/13708 ID=$(systemd-id128 new) systemd-cat -t "$ID" bash -c 'echo parent; (echo child) & wait' & PID=$! wait $PID journalctl --sync # We can drop this grep when https://github.com/systemd/systemd/issues/13937 # has a fix. journalctl -b -o export -t "$ID" --output-fields=_PID | grep '^_PID=' >/tmp/output [[ $(wc -l /tmp/expected systemd-cat -t "$ID" /bin/sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;' journalctl --sync journalctl -b -o cat -t "$ID" >/tmp/output diff /tmp/expected /tmp/output [[ $(journalctl -b -o cat -t "$ID" --output-fields=_TRANSPORT | grep -Pc "^stdout$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=_LINE_BREAK | grep -Pc "^pid-change$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=_PID | sort -u | grep -c "^.*$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=MESSAGE | grep -Pc "^(This will|usually fail|and be truncated)$") -eq 3 ]] -- systemctl start forever-print-hola sleep 3 systemctl restart systemd-journald sleep 3 systemctl stop forever-print-hola [[ ! -f "/tmp/i-lose-my-logs" ]] # https://github.com/systemd/systemd/issues/4408 rm -f /tmp/i-lose-my-logs systemctl start forever-print-hola sleep 3 systemctl kill --signal=SIGKILL systemd-journald sleep 3 [[ ! -f "/tmp/i-lose-my-logs" ]] systemctl stop forever-print-hola set +o pipefail # https://github.com/systemd/systemd/issues/15528 journalctl --follow --file=/var/log/journal/*/* | head -n1 | grep . # https://github.com/systemd/systemd/issues/24565 journalctl --follow --merge | head -n1 | grep . set -o pipefail # https://github.com/systemd/systemd/issues/26746 rm -f /tmp/issue-26746-log /tmp/issue-26746-cursor ID="$(systemd-id128 new)" journalctl -t "$ID" --follow --cursor-file=/tmp/issue-26746-cursor | tee /tmp/issue-26746-log & systemd-cat -t "$ID" /bin/sh -c 'echo hogehoge' # shellcheck disable=SC2016 timeout 10 bash -c 'until [[ -f /tmp/issue-26746-log && "$(cat /tmp/issue-26746-log)" =~ hogehoge ]]; do sleep .5; done' pkill -TERM journalctl timeout 10 bash -c 'until test -f /tmp/issue-26746-cursor; do sleep .5; done' CURSOR_FROM_FILE="$(cat /tmp/issue-26746-cursor)" CURSOR_FROM_JOURNAL="$(journalctl -t "$ID" --output=export MESSAGE=hogehoge | sed -n -e '/__CURSOR=/ { s/__CURSOR=//; p }')" test "$CURSOR_FROM_FILE" = "$CURSOR_FROM_JOURNAL" # Check that the seqnum field at least superficially works systemd-cat echo "ya" -- while read -r file; do filename="${file##*/}" unzstd "$file" -o "$JOURNAL_DIR/${filename%*.zst}" done < <(find /test-journals/no-rtc -name "*.zst") journalctl --directory="$JOURNAL_DIR" --list-boots --output=json >/tmp/lb1 diff -u /tmp/lb1 - <<'EOF' [{"index":-3,"boot_id":"5ea5fc4f82a14186b5332a788ef9435e","first_entry":1666569600994371,"last_entry":1666584266223608},{"index":-2,"boot_id":"bea6864f21ad4c9594c04a99d89948b0","first_entry":1666569601005945,"last_entry":1666584347230411},{"index":-1,"boot_id":"4c708e1fd0744336be16f3931aa861fb","first_entry":1666569601017222,"last_entry":1666584354649355},{"index":0,"boot_id":"35e8501129134edd9df5267c49f744a4","first_entry":1666569601009823,"last_entry":1666584438086856}] EOF rm -rf "$JOURNAL_DIR" /tmp/lb1 # v255-only: skip the following test case, as it suffers from systemd/systemd#30886 exit 0 # Check that using --after-cursor/--cursor-file= together with journal filters doesn't Found error in /usr/lib/systemd/tests/testdata/units/testsuite-04.journal-remote.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-04.journal-remote.sh # Generate a self-signed certificate for systemd-journal-remote # # Note: older OpenSSL requires a config file with some extra options, unfortunately # Note2: /run here is used on purpose, since the systemd-journal-remote service uses PrivateTmp=yes mkdir -p /run/systemd/journal-remote-tls cat >/tmp/openssl.conf </tmp/openssl.conf < /tmp/syncfifo1 } export SYSTEMD_LOG_LEVEL=debug echo "toplevel PID: $BASHPID"; fail unit-1.32.1-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/unitc: $ grep -A5 -B5 /tmp/ /usr/bin/unitc exit 1 fi # Read the significant unitd conifuration from cache file (or create it) # if [ -r /tmp/${0##*/}.$PID.env ]; then source /tmp/${0##*/}.$PID.env else # Check we have all the tools we will need (that we didn't already use) # MISSING=$(hash curl tr cut sed tail sleep 2>&1 | cut -f4 -d: | tr -d '\n') if [ "$MISSING" != "" ]; then -- ERROR_LOG=/dev/null fi # Cache the discovery for this unit PID (and cleanup any old files) # rm -f /tmp/${0##*/}.* 2> /dev/null echo UNIT_CTRL=\"${UNIT_CTRL}\" > /tmp/${0##*/}.$PID.env echo ERROR_LOG=${ERROR_LOG} >> /tmp/${0##*/}.$PID.env fi fi # Choose presentation style # -- # Adjust HTTP method and curl params based on presence of stdin payload # if [ -t 0 ] && [ ${#CONF_FILES[@]} -eq 0 ]; then if [ "$METHOD" = "DELETE" ]; then $RPC_CMD curl -X $METHOD $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ | $OUTPUT elif [ "$METHOD" = "EDIT" ]; then EDITOR=$(test "$EDITOR" && printf '%s' "$EDITOR" || command -v editor || command -v vim || echo vi) EDIT_FILENAME=/tmp/${0##*/}.$$${URI//\//_} $RPC_CMD curl -fsS $UNIT_CTRL$URI > $EDIT_FILENAME || exit 2 if [ "${URI:0:12}" = "/js_modules/" ]; then if ! hash jq 2> /dev/null; then echo "${0##*/}: ERROR: jq(1) is required to edit JavaScript modules; install at " exit 1 fi jq -r < $EDIT_FILENAME > $EDIT_FILENAME.js # Unescape linebreaks for a better editing experience EDIT_FILE=$EDIT_FILENAME.js $EDITOR $EDIT_FILENAME.js || exit 2 # Remove the references, delete old config, push new config+reference $RPC_CMD curl -fsS $UNIT_CTRL/config/settings/js_module > /tmp/${0##*/}.$$_js_module && \ $RPC_CMD curl -X DELETE $UNIT_CTRL/config/settings/js_module && \ $RPC_CMD curl -fsSX DELETE $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ && \ printf "%s" "$(< $EDIT_FILENAME.js)" | $RPC_CMD curl -fX PUT --data-binary @- $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ && \ cat /tmp/${0##*/}.$$_js_module | $RPC_CMD curl -X PUT --data-binary @- $UNIT_CTRL/config/settings/js_module 2> /tmp/${0##*/}.$$ elif [ $CONVERT -eq 1 ]; then $CONVERT_FROM_JSON < $EDIT_FILENAME > $EDIT_FILENAME.yaml $EDITOR $EDIT_FILENAME.yaml || exit 2 $CONVERT_TO_JSON < $EDIT_FILENAME.yaml | $RPC_CMD curl -X PUT --data-binary @- $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ | $OUTPUT else tr -d '\r' < $EDIT_FILENAME > $EDIT_FILENAME.json # Remove carriage-return from newlines $EDITOR $EDIT_FILENAME.json || exit 2 cat $EDIT_FILENAME.json | $RPC_CMD curl -X PUT --data-binary @- $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ | $OUTPUT fi else SHOW_LOG=$(echo $URI | grep -c ^/control/) $RPC_CMD curl $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ | $OUTPUT fi else if [ "$METHOD" = "INSERT" ]; then if ! hash jq 2> /dev/null; then echo "${0##*/}: ERROR: jq(1) is required to use the INSERT method; install at " -- fi NEW_ELEMENT=$(cat ${CONF_FILES[@]}) echo $NEW_ELEMENT | jq > /dev/null || exit $? # Test the input is valid JSON before proceeding OLD_ARRAY=$($RPC_CMD curl -s $UNIT_CTRL$URI) if [ "$(echo $OLD_ARRAY | jq -r type)" = "array" ]; then echo $OLD_ARRAY | jq ". |= [$NEW_ELEMENT] + ." | $RPC_CMD curl -X PUT --data-binary @- $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ | $OUTPUT else echo "${0##*/}: ERROR: the INSERT method expects an array" exit 3 fi else if [ $CONVERT -eq 1 ]; then cat ${CONF_FILES[@]} | $CONVERT_TO_JSON > /tmp/${0##*/}.$$_json CONF_FILES=(/tmp/${0##*/}.$$_json) fi cat ${CONF_FILES[@]} | $RPC_CMD curl -X $METHOD --data-binary @- $UNIT_CTRL$URI 2> /tmp/${0##*/}.$$ | $OUTPUT fi fi CURL_STATUS=${PIPESTATUS[0]} if [ $CURL_STATUS -ne 0 ]; then echo "${0##*/}: ERROR: curl(1) exited with an error ($CURL_STATUS)" if [ $CURL_STATUS -eq 7 ] && [ $REMOTE -eq 0 ]; then echo "${0##*/}: Check that you have permission to access the Unit control socket, or try again with sudo(8)" else echo "${0##*/}: Trying to access $UNIT_CTRL$URI" cat /tmp/${0##*/}.$$ && rm -f /tmp/${0##*/}.$$ fi exit 4 fi rm -f /tmp/${0##*/}.$$* 2> /dev/null if [ $SHOW_LOG -gt 0 ] && [ $NOLOG -eq 0 ] && [ $QUIET -eq 0 ]; then echo -n "${0##*/}: Waiting for log..." sleep $SHOW_LOG echo ""; fail vlc-mini-3.0.20-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/vlc/utils/video-vlc-default.sh: $ grep -A5 -B5 /tmp/ /usr/share/vlc/utils/video-vlc-default.sh MIME_FILE=~/.local/share/applications/defaults.list if [ ! -f $MIME_FILE ] then echo "[Default Applications]" > $MIME_FILE else grep -v 'video/' $MIME_FILE > /tmp/vlc.defaults.list.tmp mv /tmp/vlc.defaults.list.tmp $MIME_FILE fi ls /usr/share/mime/video/* | sed -e 's@/usr/share/mime/@@' -e 's/\.xml/=vlc.desktop/' >> $MIME_FILE Found error in /usr/share/vlc/utils/audio-vlc-default.sh: $ grep -A5 -B5 /tmp/ /usr/share/vlc/utils/audio-vlc-default.sh MIME_FILE=~/.local/share/applications/defaults.list if [ ! -f $MIME_FILE ] then echo "[Default Applications]" > $MIME_FILE else grep -v 'audio/' $MIME_FILE > /tmp/vlc.defaults.list.tmp mv /tmp/vlc.defaults.list.tmp $MIME_FILE fi ls /usr/share/mime/audio/* | sed -e 's@/usr/share/mime/@@' -e 's/\.xml/=vlc.desktop/' >> $MIME_FILE; fail volumes-profile-alt-server-v-1.1-alt1.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/install2/initinstall.d/10-vm-profile.sh: $ grep -A5 -B5 /tmp/ /usr/share/install2/initinstall.d/10-vm-profile.sh #!/bin/sh # see also http://www.altlinux.org/Autoinstall message() { echo "vm-profile: $*" >>/tmp/vm-profile.log; } ROOT_MIN=7 # In Gb VAR_MIN=1 # In Gb mem="$(sed -n '/^MemTotal/s/[^0-9]//gp' /proc/meminfo)" # in kB; fail xfstests-2023.05.28-alt1.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/xfstests/tests/generic/722: $ grep -A5 -B5 /tmp/ /usr/lib/xfstests/tests/generic/722 old_a=$(md5sum $SCRATCH_MNT/a | awk '{print $1}') old_b=$(md5sum $SCRATCH_MNT/b | awk '{print $1}') echo "md5 a: $old_a md5 b: $old_b" >> $seqres.full od -tx1 -Ad -c $SCRATCH_MNT/a > /tmp/a0 od -tx1 -Ad -c $SCRATCH_MNT/b > /tmp/b0 echo swap >> $seqres.full $XFS_IO_PROG -c "swapext -v vfs -a -e -f -u $SCRATCH_MNT/a" $SCRATCH_MNT/b _scratch_shutdown _scratch_cycle_mount -- echo "md5 a: $new_a md5 b: $new_b" >> $seqres.full test $old_a = $new_b || echo "scratch file B doesn't match old file A" test $old_b = $new_a || echo "scratch file A doesn't match old file B" od -tx1 -Ad -c $SCRATCH_MNT/a > /tmp/a1 od -tx1 -Ad -c $SCRATCH_MNT/b > /tmp/b1 # success, all done echo Silence is golden status=0 exit Found error in /usr/lib/xfstests/tests/btrfs/005: $ grep -A5 -B5 /tmp/ /usr/lib/xfstests/tests/btrfs/005 for i in `seq $cnt -1 0`; do dd if=/dev/zero of=$tmpfile bs=4k count=1 \ conv=notrunc seek=$i oflag=sync &>/dev/null done # get md5sum md5sum $tmpfile > /tmp/checksum } _btrfs_online_defrag() { str="" -- fi } _checksum() { md5sum -c /tmp/checksum > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "md5 checksum failed!" fi }; info bash3-examples-3.2.57-alt5.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/bash3-3.2.57/examples/scripts/bcsh.sh: $ grep -A5 -B5 /tmp/ /usr/share/doc/bash3-3.2.57/examples/scripts/bcsh.sh ;; esac trap ':' 2 trap exit 3 trap "tail -n $savehist $histfile>/tmp/hist$$;uniq /tmp/hist$$ > $histfile;\ rm -f /tmp/*$$;exit 0" 15 getcmd=yes mailcheck= exclaim= echoit= -- while test "$line" != "end"; do echo $n "$PS2$c" read line cmd="${cmd};$line" done echo "$cmd" > /tmp/bcsh$$ ed - /tmp/bcsh$$ << ++++ s/end/done/ s/foreach[ ]$.*$(/for \1 in / s/)// s/;/;do / w -- line=done ;; esac cmd="${cmd};$line" done echo "$cmd" > /tmp/bcsh$$ ;; if[\ \ ]*) while test "$line" != "fi" && test "$line" != "endif" do echo $n "$PS2$c" -- line=fi ;; esac cmd="${cmd};$line" done echo "$cmd" > /tmp/bcsh$$ case "`grep then /tmp/bcsh$$`" in "") # fix 'if foo bar' cases ed - /tmp/bcsh$$ << ++++ s/)/);then/ s/.*/;fi/ w ++++ ;; -- echo $n "$PS2$c" read line cmd="${cmd}@$line" done cmd="`echo \"$cmd\" | tr '@' ' '`" echo "$cmd" > /tmp/bcsh$$ ;; switch[\ \ ]*) while test "$line" != "endsw" do echo $n "$PS2$c" read line cmd="${cmd}@$line" done echo "$cmd" > /tmp/bcsh$$ ed - /tmp/bcsh$$ << '++++' 1,$s/@/\ /g g/switch.*(/s//case "/ s/)/" in/ 1,$s/case[ ]$.*$:$/;;\ -- g/breaksw/s/// 1,$s/default.*/;;\ *)/ w ++++ cmd="`cat /tmp/bcsh$$`" ;; *!*) hist=yes ;; esac -- echoit=yes getcmd=no continue ;; *~e) echo "$cmd" | sed -e "s@~e@@" > /tmp/bcsh$$ $EDITOR /tmp/bcsh$$ cmd="`cat /tmp/bcsh$$`" getcmd=no continue ;; *~v) echo "$cmd" | sed -e "s@~v@@" > /tmp/bcsh$$ echo "$lastcmd" > /tmp/bcsh$$ $VISUAL /tmp/bcsh$$ cmd="`cat /tmp/bcsh$$`" getcmd=no continue ;; exec[\ \ ]*) tail -n $savehist $histfile>/tmp/hist$$ uniq /tmp/hist$$ > $histfile rm -f /tmp/*$$ echo $cmd > /tmp/cmd$$ . /tmp/cmd$$ ;; login[\ \ ]*|newgrp[\ \ ]*) tail -n $savehist $histfile>/tmp/hist$$ uniq /tmp/hist$$ > $histfile rm -f /tmp/*$$ echo $cmd > /tmp/cmd$$ . /tmp/cmd$$ ;; logout|exit|bye) if test -s "$logoutfile" then # sh $logoutfile $SHELL $logoutfile fi tail -n $savehist $histfile > /tmp/hist$$ uniq /tmp/hist$$ > $histfile rm -f /tmp/*$$ exit 0 ;; h|history) grep -n . $histfile | tail -n $history | sed -e 's@:@ @' | $PAGER continue -- continue ;; source[\ \ ]*) set - $cmd shift echo . $* > /tmp/cmd$$ . /tmp/cmd$$ run=no ;; wait) wait run=no ;; .[\ \ ]*) echo $cmd > /tmp/cmd$$ . /tmp/cmd$$ run=no ;; cd|cd[\ \ ]*) # check if it will work first, or else this shell will terminate # if the cd dies. If you have a built-in test, you might want # to replace the try-it-and-see below with a couple of tests, # but it is probably just as fast like this. echo $cmd > /tmp/cmd$$ if ($SHELL /tmp/cmd$$) ; then . /tmp/cmd$$ fi run=no ;; awk[\ \ ]*|dd[\ \ ]*|cc[\ \ ]*|make[\ \ ]*) # these are the only commands I can think of whose syntax # includes an equals sign. Add others as you find them. echo "$cmd" > /tmp/bcsh$$ ;; setenv*|*=*) # handle setting shell variables, turning cshell syntax to Bourne # syntax -- note all variables must be exported or they will not # be usable in other commands echo "$cmd" > /tmp/cmd$$ ed - /tmp/cmd$$ << ++++ g/^setenv[ ]/s/[ ]/@/ g/^setenv@/s/[ ]/=/ g/^setenv@/s/// g/^set/s/// .t. \$s/=.*// s/^/export / w ++++ . /tmp/cmd$$ rm -f /tmp/cmd$$ run=no ;; unset[\ \ ]*|umask[\ \ ]*|export[\ \ ]*|set[\ \ ]*) # handle commands which twiddle current environment -- continue ;; esac ;; *) echo "$cmd" > /tmp/bcsh$$ ;; esac ;; no) echo "$cmd" > /tmp/bcsh$$ ;; esac ;; esac -- ;; *) case "$exclaim" in yes) cmd="`echo \"$cmd\" | sed -e 's@REALEXCLAMATIONMARK@!@g'`" echo "$cmd" > /tmp/bcsh$$ ;; esac case "$echoit" in yes) echo $cmd -- yes) case "${noclobber+yes}" in yes) case "$cmd" in *\>![\ \ ]*) ed - /tmp/bcsh$$ << ++++ g/>!/s//>/ w ++++ ;; *\>\>*) -- read answer case "$answer" in y*) ;; *) echo ':' > /tmp/bcsh$$ ;; esac ;; *) echo "${outfile}: file exists" echo ':' > /tmp/bcsh$$ ;; esac fi ;; esac -- esac ;; *) case "$cmd" in *\>![\ \ ]*) ed - /tmp/bcsh$$ << ++++ g/>!/s//>/g w ++++ ;; esac ;; esac (trap 'exit 1' 2 3; $BASH /tmp/bcsh$$) ;; esac case "$cmd" in $lastcmd) ;; Found error in /usr/share/doc/bash3-3.2.57/examples/misc/cshtobash: $ grep -A5 -B5 /tmp/ /usr/share/doc/bash3-3.2.57/examples/misc/cshtobash # zsh-3.0. # # Chet Ramey # chet@po.cwru.edu # trap 'rm -f /tmp/cb$$.? cshout cshin' 0 1 2 3 6 15 T=$'\t' SOURCE="${1:+source $1}" cat << EOF >cshin $SOURCE alias >! /tmp/cb$$.a setenv >! /tmp/cb$$.e set >! /tmp/cb$$.v EOF # give csh a minimal environment, similar to what login would provide /usr/bin/env - USER=$USER HOME=$HOME PATH=/usr/bin:/bin:/usr/ucb:. TERM=$TERM SHELL=$SHELL /bin/csh -i < ./cshin > cshout 2>&1 # First convert aliases cat << \EOF >/tmp/cb$$.1 mkalias () { case $2 in '') echo alias ${1}="''" ;; *[#\!]*) -- *) echo alias ${1}=\'$(echo "${2}" | sed "s:':'\\\\'':")\' ;; esac } EOF sed "s/^$[a-zA-Z0-9_]*$$T$.*$$/mkalias \1 '\2'/" < /tmp/cb$$.a >>/tmp/cb$$.1 echo '# csh aliases' echo $BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \ -e 's/\$term/\$TERM/g' \ -e 's/\$home/\$HOME/g' \ -e 's/\$user/\$USER/g' \ -e 's/\$prompt/\$PS1/g' -- # Would be nice to deal with embedded newlines, e.g. in TERMCAP, but ... sed -e '/^SHLVL/d' \ -e '/^PWD/d' \ -e "s/'/'"\\\\"''"/g \ -e "s/^$[A-Za-z0-9_]*=$/export \1'/" \ -e "s/$/'/" < /tmp/cb$$.e # Finally, convert local variables echo echo '# csh variables' echo -- sed -e 's/'"$T"'/=/' \ -e "s/'/'"\\\\"''"/g \ -e '/^[A-Za-z0-9_]*=[^(]/{ s/=/='"'/"' s/$/'"'/"' }' < /tmp/cb$$.v | sed -e '/^argv=/d' -e '/^cwd=/d' -e '/^filec=/d' -e '/^status=/d' \ -e '/^verbose=/d' \ -e '/^term=/d' \ -e '/^home=/d' \ -e '/^path=/d' \ -- # now some special csh variables converted to bash equivalents echo echo '# special csh variables converted to bash equivalents' echo sed -e 's/'"$T"'/=/' < /tmp/cb$$.v | grep "^cdpath=" | sed 's/(// s/ /:/g s/)// s/cdpath=/CDPATH=/' sed -e 's/'"$T"'/=/' < /tmp/cb$$.v | grep "^mail=" | sed 's/(// s/ /:/g s/)// s/mail=/MAILPATH=/' | Found error in /usr/share/doc/bash3-3.2.57/examples/misc/aliasconv.sh: $ grep -A5 -B5 /tmp/ /usr/share/doc/bash3-3.2.57/examples/misc/aliasconv.sh # usage: aliasconv.sh # # Chet Ramey # chet@po.cwru.edu # trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15 T=' ' cat << \EOF >/tmp/cb$$.1 mkalias () { case $2 in '') echo alias ${1}="''" ;; *[#\!]*) -- # the first thing we want to do is to protect single quotes in the alias, # since they whole thing is going to be surrounded by single quotes when # passed to mkalias sed -e "s:':\\'\\\'\\':" -e "s/^$[a-zA-Z0-9_-]*$$T$.*$$/mkalias \1 '\2'/" >>/tmp/cb$$.1 sh /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \ -e 's/\$term/\$TERM/g' \ -e 's/\$home/\$HOME/g' \ -e 's/\$user/\$USER/g' \ -e 's/\$prompt/\$PS1/g' Found error in /usr/share/doc/bash3-3.2.57/examples/misc/aliasconv.bash: $ grep -A5 -B5 /tmp/ /usr/share/doc/bash3-3.2.57/examples/misc/aliasconv.bash # usage: aliasconv.bash # # Chet Ramey # chet@po.cwru.edu # trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15 T=$'\t' cat << \EOF >/tmp/cb$$.1 mkalias () { case $2 in '') echo alias ${1}="''" ;; *[#\!]*) -- # the first thing we want to do is to protect single quotes in the alias, # since they whole thing is going to be surrounded by single quotes when # passed to mkalias sed -e "s:':\\'\\\'\\':" -e "s/^$[a-zA-Z0-9_-]*$$T$.*$$/mkalias \1 '\2'/" >>/tmp/cb$$.1 $BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \ -e 's/\$term/\$TERM/g' \ -e 's/\$home/\$HOME/g' \ -e 's/\$user/\$USER/g' \ -e 's/\$prompt/\$PS1/g'; info menu-2.1.41-alt24.x86_64 The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/menu-2.1.41/examples/cat: $ grep -A5 -B5 /tmp/ /usr/share/doc/menu-2.1.41/examples/cat #!/bin/sh cat > /tmp/menu-stdin exit 0 #In the good old days of menu-0 compatibility, one had to use: -- # #This file can be very usefull when you want to run one particular # #menu-method file several times, without running any of the others. # #In order to do so, do: # # - cp ./cat /etc/menu-methods/ # # - run update-menus so that the "cat" menu-method gets executed. # # Now you've got /tmp/menu-stdin. # # - With this file, you don't need update-menus at all any more, and you # # can symply run your hand-written "menu-test" menu-method by typing: # # ./menu-test < /tmp/menu-stdin # # # # The advantage of doing this is # # - none of the other menu-method files get excecuted (speedup) # # - update-menus doesn't need to open some hundred menu-entry files # # every time you test a change in your menu-method file. # # (speedup) # compat="menu-1" # command="cat > /tmp/menu-stdin"; info python3-module-dialog-3.4.0-alt2.noarch The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/python3-module-dialog-3.4.0/examples/with-autowidgetsize/demo.py: $ grep -A5 -B5 /tmp/ /usr/share/doc/python3-module-dialog-3.4.0/examples/with-autowidgetsize/demo.py easily append data. With the {widget} widget, you can see the data stream \ flow in real time. To create a FIFO, you can use the commmand mkfifo(1), like this: % mkfifo /tmp/my_shiny_new_fifo Then, you can cat(1) data to the FIFO like this: % cat >>/tmp/my_shiny_new_fifo First line of text Second line of text ... You can end the input to cat(1) by typing Ctrl-D at the beginning of a \ Found error in /usr/share/doc/python3-module-dialog-3.4.0/examples/demo.py: $ grep -A5 -B5 /tmp/ /usr/share/doc/python3-module-dialog-3.4.0/examples/demo.py easily append data. With the {widget} widget, you can see the data stream \ flow in real time. To create a FIFO, you can use the commmand mkfifo(1), like this: % mkfifo /tmp/my_shiny_new_fifo Then, you can cat(1) data to the FIFO like this: % cat >>/tmp/my_shiny_new_fifo First line of text Second line of text ... You can end the input to cat(1) by typing Ctrl-D at the beginning of a \;