Marius Tomaschewski
c153b30597
- Remove attempts to correct configuration file ownership and permissions in service files, that may lead to local privilege escalation from quagga to root (bsc#1191890,CVE-2021-44038). [+ remove-chown-chmod.service.patch] - Correct hardening patches adding ReadWritePaths=/etc/quagga - Add update-messages that quagga is not developed for years, is about to get dropped from Factory/Tumbleweed soon and users should migrate to FRR (https://frrouting.org/). OBS-URL: https://build.opensuse.org/request/show/1035188 OBS-URL: https://build.opensuse.org/package/show/network/quagga?expand=0&rev=76
24 lines
704 B
Diff
24 lines
704 B
Diff
Index: quagga-1.2.4/redhat/zebra.service
|
|
===================================================================
|
|
--- quagga-1.2.4.orig/redhat/zebra.service
|
|
+++ quagga-1.2.4/redhat/zebra.service
|
|
@@ -6,6 +6,18 @@
|
|
Documentation=man:zebra
|
|
|
|
[Service]
|
|
+# added automatically, for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+ProtectHostname=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
+ReadWritePaths=/etc/quagga
|
|
+# end of automatic additions
|
|
Type=forking
|
|
PIDFile=/run/quagga/zebra.pid
|
|
EnvironmentFile=-/etc/sysconfig/quagga
|