X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=daklib%2Fchecks.py;h=8111ef7555e1198729a7f7cf1fbda4b009245f78;hb=c66012218feeb5a9a4228890f44a9a27dcaafeca;hp=fcb5a325a7d53cde62998ebcab719ff10d1af01b;hpb=3e33b8396bb500b089598948992204d877368ec9;p=dak.git

diff --git a/daklib/checks.py b/daklib/checks.py
index fcb5a325..8111ef75 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -354,6 +354,10 @@ class ACLCheck(Check):
     """Check the uploader is allowed to upload the packages in .changes"""
 
     def _does_hijack(self, session, upload, suite):
+        # Try to catch hijacks.
+        # This doesn't work correctly. Uploads to experimental can still
+        # "hijack" binaries from unstable. Also one can hijack packages
+        # via buildds (but people who try this should not be DMs).
         for binary_name in upload.changes.binary_names:
             binaries = session.query(DBBinary).join(DBBinary.source) \
                 .filter(DBBinary.suites.contains(suite)) \
@@ -401,6 +405,7 @@ class ACLCheck(Check):
         acl_per_source = session.query(ACLPerSource).filter_by(acl=acl, fingerprint=upload.fingerprint, source=source_name).first()
         if acl.allow_per_source:
             # XXX: Drop DMUA part here and switch to new implementation.
+            # XXX: Send warning mail once users can set the new DMUA flag
             dmua_status, dmua_reason = self._check_dmua(upload)
             if not dmua_status:
                 return False, dmua_reason
@@ -590,7 +595,7 @@ class LintianCheck(Check):
         except yaml.YAMLError as msg:
             raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
 
-        fd, temp_filename = utils.temp_filename()
+        fd, temp_filename = utils.temp_filename(mode=0o644)
         temptagfile = os.fdopen(fd, 'w')
         for tags in lintiantags.itervalues():
             for tag in tags:
@@ -599,8 +604,10 @@ class LintianCheck(Check):
 
         changespath = os.path.join(upload.directory, changes.filename)
         try:
-            # FIXME: no shell
-            cmd = "lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
+            if cnf.unprivgroup:
+                cmd = "sudo -H -u {0} -- /usr/bin/lintian --show-overrides --tags-from-file {1} {2}".format(cnf.unprivgroup, temp_filename, changespath)
+            else:
+                cmd = "/usr/bin/lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
             result, output = commands.getstatusoutput(cmd)
         finally:
             os.unlink(temp_filename)