Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.rst2
-rwxr-xr-xarchiso/mkarchiso6
2 files changed, 5 insertions, 3 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 982c722..4fa88db 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -13,6 +13,8 @@ Changed
-------
- Check if the GPG public key file was successfully placed in the work directory before trying to use it.
+- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the
+ ``pacstrap`` invoked chroot should ever be allowed to write outside of it.
Removed
-------
diff --git a/archiso/mkarchiso b/archiso/mkarchiso
index 9000044..7a3fd1c 100755
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@@ -336,15 +336,15 @@ _make_packages() {
_msg_info "Installing packages to '${pacstrap_dir}/'..."
if [[ -v gpg_publickey ]]; then
- exec {ARCHISO_GNUPG_FD}<>"$gpg_publickey"
+ exec {ARCHISO_GNUPG_FD}<"$gpg_publickey"
export ARCHISO_GNUPG_FD
fi
if [[ -v cert_list[0] ]]; then
- exec {ARCHISO_TLS_FD}<>"${cert_list[0]}"
+ exec {ARCHISO_TLS_FD}<"${cert_list[0]}"
export ARCHISO_TLS_FD
fi
if [[ -v cert_list[2] ]]; then
- exec {ARCHISO_TLSCA_FD}<>"${cert_list[2]}"
+ exec {ARCHISO_TLSCA_FD}<"${cert_list[2]}"
export ARCHISO_TLSCA_FD
fi