WIP: Add an optional exec hook to run after each upstream Spotify update

[victordejong]

This PR allows users to configure an executable hook, to be ran after each upstream Spotify update. The hook is blocking, and Spotify will not start before the hook has exited.

This PR implements issue #45.

This PR is a Work in Progress, as I want to discuss and check a couple of things before moving forward:

• [ ] The current mode of execution is blocking.
  • Is there a reason we would want this to be non-blocking?
  • Is there need for it to be configurable, either with a timeout or switching blocking/non-blocking?
• [ ] Handle script behaviour.
  • Current behaviour is to ignore script return codes. Is this desired? The user will now be warned about a non-zero exit code.
  • Script stdout/stderr output is not displayed, should we?
  • Currently when facing execution errors, such as permission denied or missing executable, the main thread panics. We should probably handle this more gracefully, but do we want to exit or continue launching Spotify? Just a warning is logged, but the script now does not block the launch of Spotify.
• [ ] Security
  • I'd like someone to take a look at the possible security implications of running arbitrary executables. Some improvements we can look at from my perspective:
  • Only allow executables to be ran where the file owner equals process owner.
  • Refuse to run when executable has global write permissions.
  • Refuse to run when special permissions (SUID/SGID) are set.
  • Restrict running environment to only whitelisted interpreters (Bash, Python, etc...). Refuse to run ELFs.

Should there be any other notable issues, let me know.

[victordejong]

Hi @kpcyrd , thanks a lot for the quick review. Whenever you have time, let me know what you think about the rest of the items for this PR, I'm especially curious what you think about the security implications of this feature.