Don't allow user-writable SelfServiceManifest to be a symlink

2026-01-05 22:20:00 -06:00 · 2018-06-18 12:58:32 -07:00
parent b1e94a072b
commit 18ef54ca00
1 changed files with 12 additions and 0 deletions
--- a/code/client/munkilib/updatecheck/core.py
+++ b/code/client/munkilib/updatecheck/core.py
@@ -224,6 +224,18 @@ def check(client_id='', localmanifestpath=None):
        usermanifest = '/Users/Shared/.SelfServeManifest'
        selfservemanifest = os.path.join(
            managed_install_dir, 'manifests', 'SelfServeManifest')
+
+        if os.path.islink(usermanifest):
+            # not allowed as it could link to things not normally
+            # readable by unprivileged users
+            try:
+                os.unlink(usermanifest)
+            except OSError:
+                pass
+            display.display_warning(
+                "Found symlink at %s. Ignoring and removing."
+                % selfservemanifest)
+
        if os.path.exists(usermanifest):
            # copy user-generated SelfServeManifest to our
            # managed_install_dir