Skip to content

fix(updater): harden failure paths, lock apt privilege behind a root-owned wrapper, and self-heal broken components#266

Merged
HugoCLSC merged 5 commits into
devfrom
fix/updater-sudoers-least-privilege
Jul 3, 2026
Merged

fix(updater): harden failure paths, lock apt privilege behind a root-owned wrapper, and self-heal broken components#266
HugoCLSC merged 5 commits into
devfrom
fix/updater-sudoers-least-privilege

Conversation

@gmmcosta15

Copy link
Copy Markdown
Collaborator

Description

Select the type:

  • Feature
  • Bug fix
  • Code refactor
  • Documentation

Updater hardening in three parts: failure-path robustness fixes from the dev review, apt privilege locked behind a root-owned wrapper, and self-healing for broken component directories (both RF50 field bugs).

Failure-path hardening

  • Component hooks run with a 600s budget and a liveness ping that re-emits progress every 60s, so a long uv sync can neither abort the batch nor false-trip the UI's busy watchdog.
  • git reset/checkout timeouts raised 10s to 60s: they back rollback, boot revert, and recover, where a SIGTERM mid-checkout on a slow SD card is worst-case.
  • In-flight marker cleared on early returns (insecure remote, failed pre-update reset), removing spurious boot-revert logs.
  • Lock-held rejections emit the D-Bus error signal so the UI toasts instead of silently dismissing the overlay; malformed status JSON now shows a toast; stale confirm popups are deleted; OneShotTokenError message is no longer lost.

Scoped privilege

  • New root-owned /usr/local/sbin/bs-apt-helper is the single apt/dpkg sudoers grant: fixed argv per verb plus package-name validation, closing the old install --only-upgrade -y * option-injection window. It owns the dpkg-lock/conffile options and DEBIAN_FRONTEND (previously stripped by sudo env_reset).
  • executor._apt_cmd routes every apt operation through the wrapper; install-updater.sh deploys it before the daemon (re)starts, so there is no fallback path.
  • git safe.directory scoped to component repositories instead of '*'.

Component self-heal

  • A component directory without .git (tarball-installed ~/Spoolman) no longer aborts the whole update as a network error; it is excluded per-component and the batch proceeds.
  • For install_if_missing components the directory is renamed to <name>.pre-updater-<timestamp> (reversible, old config preserved) and re-provisioned in the same run.

@gmmcosta15 gmmcosta15 added the enhancement New feature or request. label Jul 3, 2026
@gmmcosta15 gmmcosta15 self-assigned this Jul 3, 2026
@gmmcosta15 gmmcosta15 requested a review from HugoCLSC July 3, 2026 14:37
@HugoCLSC HugoCLSC merged commit b14a927 into dev Jul 3, 2026
8 checks passed
@HugoCLSC HugoCLSC deleted the fix/updater-sudoers-least-privilege branch July 3, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants