Skip to content

Commit

Permalink
fix: Use update-alternatives instead of symlinks for #7500 (#7501)
Browse files Browse the repository at this point in the history
* Issue #7500: Use update-alternatives instead of symlinks to executable if available.

Where possible, use `update-alternatives` instead to avoid hardcoding links in Linux. This will allow for downstream users to specify paths to their own executables with higher priority if they wish.

Backward compatibility is preserved by still using the symlinking route if the command `update-alternatives` is not available.
  • Loading branch information
markizano committed Apr 7, 2023
1 parent cd7b79f commit e83dc81
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 5 deletions.
23 changes: 23 additions & 0 deletions .changeset/use-update-alternatives-93f81a.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
"app-builder-lib": patch
---

Use `update-alternatives` when available.

## What is changing?
Test for `update-alternatives` in DEB based installations and use this whenever possible.
In this way, middleware and downstream projects and users can specify binaries of their
own priority that would override this programs' configured executable.

## Why is this changing?
Personally, I don't want apps running as myself or a privileged user in my system.
For this. I have a shell that is executed to drop permissions first, then execute the
selected software.
Electron apps don't conform to this since they link directly rather than using a linking
system.

This change is to ensure that system is used before resorting to direct links.

## How should this be consumed?
Simply update as normal and this package will switch to using update-alternatives.
This will allow middleware and end-users to better control the active executable.
11 changes: 9 additions & 2 deletions packages/app-builder-lib/templates/linux/after-install.tpl
Original file line number Diff line number Diff line change
@@ -1,7 +1,14 @@
#!/bin/bash

# Link to the binary
ln -sf '/opt/${sanitizedProductName}/${executable}' '/usr/bin/${executable}'
if type update-alternatives 2>/dev/null >&1; then
# Remove previous link if it doesn't use update-alternatives
if [ -L '/usr/bin/${executable}' -a -e '/usr/bin/${executable}' -a "`readlink '/usr/bin/${executable}'`" != '/etc/alternatives/${executable}' ]; then
rm -f '/usr/bin/${executable}'
fi
update-alternatives --install '/usr/bin/${executable}' '${executable}' '/opt/${sanitizedProductName}/${executable}' 100
else
ln -sf '/opt/${sanitizedProductName}/${executable}' '/usr/bin/${executable}'
fi

# SUID chrome-sandbox for Electron 5+
chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
Expand Down
6 changes: 5 additions & 1 deletion packages/app-builder-lib/templates/linux/after-remove.tpl
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
#!/bin/bash

# Delete the link to the binary
rm -f '/usr/bin/${executable}'
if type update-alternatives >/dev/null 2>&1; then
update-alternatives --remove '${executable}' '/usr/bin/${executable}'
else
rm -f '/usr/bin/${executable}'
fi
11 changes: 9 additions & 2 deletions test/snapshots/linux/debTest.js.snap
Original file line number Diff line number Diff line change
Expand Up @@ -538,8 +538,15 @@ exports[`executable path in postinst script 4`] = `"Test Application (test quite
exports[`executable path in postinst script 5`] = `
"#!/bin/bash
# Link to the binary
ln -sf '/opt/foo/Boo' '/usr/bin/Boo'
if type update-alternatives 2>/dev/null >&1; then
# Remove previous link if it doesn't use update-alternatives
if [ -L '/usr/bin/Boo' -a -e '/usr/bin/Boo' -a \\"\`readlink '/usr/bin/Boo'\`\\" != '/etc/alternatives/Boo' ]; then
rm -f '/usr/bin/Boo'
fi
update-alternatives --install '/usr/bin/Boo' 'Boo' '/opt/foo/Boo' 100
else
ln -sf '/opt/foo/Boo' '/usr/bin/Boo'
fi
# SUID chrome-sandbox for Electron 5+
chmod 4755 '/opt/foo/chrome-sandbox' || true
Expand Down

0 comments on commit e83dc81

Please sign in to comment.