index : archiso32 | |
Archlinux32 iso tools | gitolite user |
summaryrefslogtreecommitdiff |
author | nl6720 <nl6720@gmail.com> | 2022-11-26 20:00:40 +0200 |
---|---|---|
committer | nl6720 <nl6720@gmail.com> | 2022-12-06 13:12:53 +0200 |
commit | 2c3420204e25c31b6768f8e30ade348db757b722 (patch) | |
tree | 8b53a974d6904f312fa3701610672aaaa9fb7000 | |
parent | d31f38843ac0cb803561b0dbe976a3189ac0191c (diff) |
-rw-r--r-- | CHANGELOG.rst | 2 | ||||
-rwxr-xr-x | archiso/mkarchiso | 6 |
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 982c722..4fa88db 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,6 +13,8 @@ Changed ------- - Check if the GPG public key file was successfully placed in the work directory before trying to use it. +- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the + ``pacstrap`` invoked chroot should ever be allowed to write outside of it. Removed ------- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 9000044..7a3fd1c 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -336,15 +336,15 @@ _make_packages() { _msg_info "Installing packages to '${pacstrap_dir}/'..." if [[ -v gpg_publickey ]]; then - exec {ARCHISO_GNUPG_FD}<>"$gpg_publickey" + exec {ARCHISO_GNUPG_FD}<"$gpg_publickey" export ARCHISO_GNUPG_FD fi if [[ -v cert_list[0] ]]; then - exec {ARCHISO_TLS_FD}<>"${cert_list[0]}" + exec {ARCHISO_TLS_FD}<"${cert_list[0]}" export ARCHISO_TLS_FD fi if [[ -v cert_list[2] ]]; then - exec {ARCHISO_TLSCA_FD}<>"${cert_list[2]}" + exec {ARCHISO_TLSCA_FD}<"${cert_list[2]}" export ARCHISO_TLSCA_FD fi |