rpm/gswrap
SHA256
1
0
Fork 0
forked from pool/gswrap
Code Pull Requests Activity

Accepting request 925405 from Printing

Browse Source 
- Quote all variable which might include space 

- Allow spaces in path, file, and user names
  as well as check if all used programs are found.

OBS-URL: https://build.opensuse.org/request/show/925405
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gswrap?expand=0&rev=7
This commit is contained in:
Dominique Leuenberger 2021-10-15 21:04:13 +00:00 committed by Git OBS Bridge
commit e9f740dd41
2 changed files with 125 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

173
gswrap
View File

@ -27,17 +27,24 @@
ghostscript=@@GS@@ ghostscript=@@GS@@
for prog in fuser realpath
do
type $prog >& /dev/null && continue
echo "GS: No $prog found in path" 1>&2
exit 1
done
user=nobody user=nobody
home=/home/$user home="/home/$user"
uid=$(id -u $user) uid=$(id -u "$user")
gid=$(id -g $user) gid=$(id -g "$user")
lock=$(mktemp "${TMPDIR:-/tmp}/.gswrap-XXXXXXXXXX") || exit 1 lock=$(mktemp "${TMPDIR:-/tmp}/.gswrap-XXXXXXXXXX") || exit 1
unlock () unlock ()
{ {
test -e $lock || return test -e "$lock" || return
fuser -TERM $lock fuser -TERM "$loc"
rm -f $lock rm -f "$lock"
} }
finish () finish ()
@ -65,34 +72,38 @@ trap 'unlock' EXIT SIGINT SIGHUP
typeset -i safer=0 typeset -i safer=0
typeset pipecmd="" typeset pipecmd=""
typeset -i pipepos typeset -i pipepos
typeset -a opts typeset -a opts=()
typeset -i o=0 typeset -i o=0
for lib in $(ldd $ghostscript | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p') for lib in $(ldd $ghostscript | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p')
do do
opts[o++]="--ro-bind $lib $lib" opts[o++]=--ro-bind
opts[o++]="$lib"
opts[o++]="$lib"
done done
for dir in /lib/tls /lib64/tls /lib64/x86_64 /usr/lib/ghostscript /usr/lib64/ghostscript /etc/ghostscript for dir in /lib/tls /lib64/tls /lib64/x86_64 /usr/lib/ghostscript /usr/lib64/ghostscript /etc/ghostscript
do do
test -d "$dir" || continue test -d "$dir" || continue
opts[o++]="--ro-bind $dir $dir" opts[o++]=--ro-bind
opts[o++]="$dir"
opts[o++]="$dir"
done done
typeset -i argc=0 typeset -i c=0 argc=${#argv[@]}
typeset -a argv=("$@") typeset -a argv=("$@")
for ((argc=0; argc < ${#argv[@]}; argc++)) for ((c=0; c < argc; c++))
do do
arg="${argv[argc]}" arg="${argv[c]}"
case "$arg" in case "$arg" in
-dSAFER) -dSAFER)
let safer++ let safer++
;; ;;
-o) -o)
if ((argc+1 >= ${#argv[@]})) if ((c+1 >= argc))
then then
echo "GS: found -o without argument" 1>&2 echo "GS: found -o without argument" 1>&2
exit 1 exit 1
else else
unset argv[argc] unset argv[c]
argv[argc+1]=-sOutputFile=${argv[argc+1]} argv[c+1]=-sOutputFile="${argv[c+1]}"
fi fi
;; ;;
-sOutputFile=*) -sOutputFile=*)
@ -100,8 +111,8 @@ do
%stdout%|%stderr%|%stdout|%stderr|-|"") %stdout%|%stderr%|%stdout|%stderr|-|"")
continue ;; continue ;;
%pipe%*) %pipe%*)
pipecmd=${arg#-sOutputFile=%pipe%} pipecmd="${arg#-sOutputFile=%pipe%}"
let pipepos=argc let pipepos=c
;; ;;
esac esac
file="${arg#-sOutputFile=}" file="${arg#-sOutputFile=}"
@ -117,19 +128,24 @@ do
echo "GS: only /dev/null or /dev/zero allowed" 1>&2 echo "GS: only /dev/null or /dev/zero allowed" 1>&2
exit 1 exit 1
fi fi
opts[o++]="--dir $home/out" opts[o++]=--dir
opts[o++]="$home/out"
elif test -n "$dir" -a -d "$dir" elif test -n "$dir" -a -d "$dir"
then then
tmp=$(mktemp -d "$dir/.gswrap-XXXXXXXXXX") || exit 1 tmp=$(mktemp -d "$dir/.gswrap-XXXXXXXXXX") || exit 1
trap "finish '$dir' '$tmp'" ERR EXIT SIGINT SIGHUP trap "finish '$dir' '$tmp'" ERR EXIT SIGINT SIGHUP
opts[o++]="--bind ${tmp+"$tmp"} $home/out" opts[o++]=--bind
opts[o++]="${tmp+"$tmp"}"
opts[o++]="$home/out"
else else
tmp=$(mktemp -d "$PWD/.gswrap-XXXXXXXXXX") || exit 1 tmp=$(mktemp -d "$PWD/.gswrap-XXXXXXXXXX") || exit 1
trap "finish '$PWD' '$tmp'" ERR EXIT SIGINT SIGHUP trap "finish '$PWD' '$tmp'" ERR EXIT SIGINT SIGHUP
opts[o++]="--bind ${tmp+"$tmp"} $home/out" opts[o++]=--bind
opts[o++]="${tmp+"$tmp"}"
opts[o++]="$home/out"
fi fi
fi fi
argv[argc]="-sOutputFile=$home/out/${file}" argv[c]="-sOutputFile=$home/out/${file}"
continue continue
;; ;;
-sDEVICE=*) -sDEVICE=*)
@ -143,7 +159,9 @@ do
continue continue
;; ;;
@*) @*)
opts[o++]="--ro-bind ${arg#@} $home/${arg#@}" opts[o++]=--ro-bind
opts[o++]="${arg#@}"
opts[o++]="$home/${arg#@}"
continue continue
;; ;;
-*) -*)
@ -153,14 +171,18 @@ do
test -e "$arg" || continue test -e "$arg" || continue
if test "${arg##*/}" = "$arg" if test "${arg##*/}" = "$arg"
then then
opts[o++]="--ro-bind $arg $home/$arg" opts[o++]=--ro-bind
opts[o++]="$arg"
opts[o++]="$home/$arg"
else else
arg="$(realpath $arg)" || exit 1 arg="$(realpath "$arg")" || exit 1
argv[argc]="$arg" argv[c]="$arg"
test "$arg" != / || continue test "$arg" != / || continue
test "$arg" != /home || continue test "$arg" != /home || continue
test "$arg" != $home || continue test "$arg" != $home || continue
opts[o++]="--ro-bind $arg $arg" opts[o++]=--ro-bind
opts[o++]="$arg"
opts[o++]="$arg"
fi fi
done done
# If no -dSAFER then execute the orignal ghostscript program now # If no -dSAFER then execute the orignal ghostscript program now
@ -170,25 +192,33 @@ then
fi fi
if test -n "$pipecmd" if test -n "$pipecmd"
then then
mkfifo -m 666 ${tmp}/fd mkfifo -m 666 "${tmp}/fd"
fd=${tmp}/fd fd="${tmp}/fd"
exec $pipecmd < $fd & exec "$pipecmd" < $fd &
argv[pipepos]="-sOutputFile=$home/fifo" argv[pipepos]="-sOutputFile=$home/fifo"
opts[o++]="--bind $fd $home/fifo" opts[o++]=--bind
opts[o++]="$fd"
opts[o++]="$home/fifo"
fi fi
# User might have some own font configurations as well # User might have some own font configurations as well
if test -d /var/cache/fontconfig if test -d /var/cache/fontconfig
then then
opts[o++]="--ro-bind /var/cache/fontconfig /var/cache/fontconfig" opts[o++]=--ro-bind
opts[o++]="/var/cache/fontconfig"
opts[o++]="/var/cache/fontconfig"
fi fi
if test -s "$HOME/.fonts.conf" if test -s "$HOME/.fonts.conf"
then then
opts[o++]="--ro-bind ${HOME+"$HOME"}/.fonts.conf $home/.fonts.conf" opts[o++]=--ro-bind
opts[o++]="${HOME+"$HOME"}/.fonts.conf"
opts[o++]="$home/.fonts.conf"
fi fi
for dir in "$HOME/.fontconfig" "$HOME/.config/fontconfig" "$HOME/.cache/fontconfig" for dir in "$HOME/.fontconfig" "$HOME/.config/fontconfig" "$HOME/.cache/fontconfig"
do do
test -d "$dir" || continue test -d "$dir" || continue
opts[o++]="--ro-bind $dir ${home}${dir#$HOME}" opts[o++]=--ro-bind
opts[o++]="$dir"
opts[o++]="${home}${dir#$HOME}"
done done
# Display # Display
if test -n "$DISPLAY" if test -n "$DISPLAY"
@ -205,7 +235,9 @@ then
case "${opts[@]}" in case "${opts[@]}" in
*[:blank:]${lib}[:blank:]*) continue ;; *[:blank:]${lib}[:blank:]*) continue ;;
esac esac
opts[o++]="--ro-bind $lib $lib" opts[o++]=--ro-bind
opts[o++]="$lib"
opts[o++]="$lib"
done done
done done
done done
@ -213,39 +245,58 @@ then
for x11 in /tmp/.X11-unix for x11 in /tmp/.X11-unix
do do
test -e "${x11}" || continue test -e "${x11}" || continue
opts[o++]="--ro-bind ${x11} ${x11}" opts[o++]=--ro-bind
opts[o++]="${x11}"
opts[o++]="${x11}"
done done
opts[o++]="--ro-bind ${XAUTHORITY+"$XAUTHORITY"} $home/.Xauthority" opts[o++]=--ro-bind
opts[o++]="--setenv XAUTHORITY $home/.Xauthority" opts[o++]="${XAUTHORITY+"$XAUTHORITY"}"
opts[o++]="--setenv DISPLAY ${DISPLAY+"$DISPLAY"}" opts[o++]="$home/.Xauthority"
opts[o++]=--setenv
opts[o++]=XAUTHORITY
opts[o++]="$home/.Xauthority"
opts[o++]=--setenv
opts[o++]=DISPLAY
opts[o++]="${DISPLAY+"$DISPLAY"}"
if test -n "${DISPLAY%:*}" if test -n "${DISPLAY%:*}"
then then
# For display over e.g. local network as with slogin -X skip --unshare-net # For display over e.g. local network as with slogin -X skip --unshare-net
# and allow hostname resolution via running nscd (that is nscd should be up) # and allow hostname resolution via running nscd (that is nscd should be up)
opts[o++]="--ro-bind /var/run/nscd/socket /var/run/nscd/socket" opts[o++]=--ro-bind
opts[o++]="--unshare-user-try --unshare-ipc --unshare-pid --unshare-uts --unshare-cgroup-try" opts[o++]="/var/run/nscd/socket"
opts[o++]="/var/run/nscd/socket"
opts[o++]=--unshare-user-try
opts[o++]=--unshare-ipc
opts[o++]=--unshare-pid
opts[o++]=--unshare-uts
opts[o++]=--unshare-cgroup-try
else else
opts[o++]="--unshare-all" opts[o++]=--unshare-all
fi fi
if test -n "${GHOSTVIEW}" if test -n "${GHOSTVIEW}"
then then
opts[o++]="--die-with-parent" opts[o++]=--setenv
opts[o++]="--setenv GHOSTVIEW ${GHOSTVIEW+"$GHOSTVIEW"}" opts[o++]=GHOSTVIEW
opts[o++]="{GHOSTVIEW+"$GHOSTVIEW"}"
fi fi
if test -n "${GHOSTVIEW_COLORS}" if test -n "${GHOSTVIEW_COLORS}"
then then
opts[o++]="--setenv GHOSTVIEW_COLORS ${GHOSTVIEW+"$GHOSTVIEW_COLORS"}" opts[o++]=--setenv
opts[o++]=GHOSTVIEW_COLORS
opts[o++]="${GHOSTVIEW+"$GHOSTVIEW_COLORS"}"
fi fi
else else
opts[o++]="--unshare-all" opts[o++]=--unshare-all
fi fi
if test -e /proc/$$/uid_map if test -e /proc/$$/uid_map
then then
opts[o++]="--uid $uid" opts[o++]=--uid
opts[o++]="$uid"
fi fi
if test -e /proc/$$/gid_map if test -e /proc/$$/gid_map
then then
opts[o++]="--gid $gid" opts[o++]=--gid
opts[o++]="$gid"
fi fi
# This is for debugging only # This is for debugging only
# add you binary like /bin/ls or /usr/bin/strace for further usage # add you binary like /bin/ls or /usr/bin/strace for further usage
@ -255,17 +306,21 @@ if false
then then
for bin in /usr/bin/strace for bin in /usr/bin/strace
do do
opts[o++]="--ro-bind $bin $bin" opts[o++]=--ro-bind
opts[o++]="$bin"
opts[o++]="$bin"
for lib in $(ldd "$bin" | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p') for lib in $(ldd "$bin" | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p')
do do
case "${opts[@]}" in case "${opts[@]}" in
*[:blank:]${lib}[:blank:]*) continue ;; *[:blank:]${lib}[:blank:]*) continue ;;
esac esac
opts[o++]="--ro-bind $lib $lib" opts[o++]=--ro-bind
opts[o++]="$lib"
opts[o++]="$lib"
done done
done done
fi fi
unset o argc arg unset o c argc arg
set -- "${argv[@]}" set -- "${argv[@]}"
set -euo pipefail set -euo pipefail
(exec -c -a gs /usr/bin/bwrap \ (exec -c -a gs /usr/bin/bwrap \
@ -278,26 +333,26 @@ set -euo pipefail
--ro-bind /usr/share/ghostscript /usr/share/ghostscript \ --ro-bind /usr/share/ghostscript /usr/share/ghostscript \
--ro-bind /usr/share/fonts /usr/share/fonts \ --ro-bind /usr/share/fonts /usr/share/fonts \
--ro-bind /etc/fonts /etc/fonts \ --ro-bind /etc/fonts /etc/fonts \
--ro-bind $lock /tmp/.lock \ --ro-bind "$lock" /tmp/.lock \
--lock-file /tmp/.lock \ --lock-file /tmp/.lock \
--dir /run/user/$uid \ --dir "/run/user/$uid" \
--dir /var \ --dir /var \
--symlink ../run var/run \ --symlink ../run var/run \
--symlink ../tmp var/tmp \ --symlink ../tmp var/tmp \
--dir $home \ --dir "$home" \
--chdir $home \ --chdir "$home" \
${opts[@]} \ "${opts[@]}" \
--new-session \ --new-session \
--sync-fd 0 \ --sync-fd 0 \
--sync-fd 1 \ --sync-fd 1 \
--sync-fd 2 \ --sync-fd 2 \
--setenv XDG_RUNTIME_DIR "/run/user/$uid" \ --setenv XDG_RUNTIME_DIR "/run/user/$uid" \
--setenv USER $user \ --setenv USER "$user" \
--setenv LOGNAME $user \ --setenv LOGNAME "$user" \
--setenv SHELL /bin/false \ --setenv SHELL /bin/false \
--setenv HOME $home \ --setenv HOME "$home" \
--setenv PATH /bin:/usr/bin \ --setenv PATH /bin:/usr/bin \
--setenv MAIL /dev/null \ --setenv MAIL /dev/null \
--die-with-parent \ --die-with-parent \
/usr/bin/gs ${1+"$@"}) /usr/bin/gs ${1+"$@"})
rm -f $lock rm -f "$lock"

11
gswrap.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Fri Oct 15 10:34:50 UTC 2021 - Dr. Werner Fink <werner@suse.de>
- Quote all variable which might include space
-------------------------------------------------------------------
Fri Oct 15 09:20:56 UTC 2021 - Dr. Werner Fink <werner@suse.de>
- Allow spaces in path, file, and user names
as well as check if all used programs are found.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 12 13:26:59 UTC 2021 - Dr. Werner Fink <werner@suse.de> Tue Oct 12 13:26:59 UTC 2021 - Dr. Werner Fink <werner@suse.de>