bootmisc: clean_run safety improvements.

If /tmp or / are read-only, the clean_run function can fail in some very bad ways. 1. dir=$(mktemp -d) returns an EMPTY string on error. 2. "mount -o bind / $dir", and don't check the result of that, 3. "rm -rf $dir/run/*", which removes the REAL /run contents 4. box gets very weird from this point forward Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org> Signed-Off-By: Chip Parker <infowolfe@gmail.com> Reported-by: Chip Parker <infowolfe@gmail.com> Tested-by: Chip Parker <infowolfe@gmail.com>
2015-02-26 17:58:22 -08:00
parent a0378f3871
commit 7bbb73574b
1 changed files with 25 additions and 4 deletions
--- a/init.d/bootmisc.in
+++ b/init.d/bootmisc.in
@@ -119,11 +119,32 @@ clean_run()
 {
 	[ "$RC_SYS" = VSERVER -o "$RC_SYS" = LXC ] && return 0
 	local dir
+	# If / is still read-only due to a problem, this will fail!
+	if ! checkpath -W /; then
+		eerror "/ is not writable; unable to clean up underlying /run"
+		return 1
+	fi
+	if ! checkpath -W /tmp; then
+		eerror "/tmp is not writable; unable to clean up underlying /run"
+		return 1
+	fi
+	# Now we know that we can modify /tmp and /
+	# if mktemp -d fails, it returns an EMPTY string
+	# STDERR: mktemp: failed to create directory via template ‘/tmp/tmp.XXXXXXXXXX’: Read-only file system
+	# STDOUT: ''
+	rc=0
 	dir=$(mktemp -d)
-	mount --bind / $dir
-	rm -rf $dir/run/*
-	umount $dir
-	rm -rf $dir
+	if [ -n "$dir" -a -d $dir -a -w $dir ]; then
+		mount --bind / $dir && rm -rf $dir/run/* || rc=1
+		umount $dir
+		rm -rf $dir
+	else
+		rc=1
+	fi
+	if [ $rc -ne 0 ]; then
+		eerror "Could not clean up underlying /run on /"
+		return 1
+	fi
 }

 start()