Marius Tomaschewski
c153b30597
- Remove attempts to correct configuration file ownership and permissions in service files, that may lead to local privilege escalation from quagga to root (bsc#1191890,CVE-2021-44038). [+ remove-chown-chmod.service.patch] - Correct hardening patches adding ReadWritePaths=/etc/quagga - Add update-messages that quagga is not developed for years, is about to get dropped from Factory/Tumbleweed soon and users should migrate to FRR (https://frrouting.org/). OBS-URL: https://build.opensuse.org/request/show/1035188 OBS-URL: https://build.opensuse.org/package/show/network/quagga?expand=0&rev=76
89 lines
3.3 KiB
Diff
89 lines
3.3 KiB
Diff
References: bsc#1191890,CVE-2021-44038
|
|
Upstream: no
|
|
|
|
The services ensure using ConditionPathExists that configuration
|
|
files exist at start time.
|
|
|
|
This change reverts to quagga-1.1.1 service behavior and removes
|
|
the attempts to fix configuration file ownership and permissions
|
|
that may lead to local privilege escalation from quagga to root.
|
|
|
|
--- quagga-1.2.4-orig/redhat/bgpd.service
|
|
+++ quagga-1.2.4/redhat/bgpd.service
|
|
@@ -23,8 +23,6 @@
|
|
Type=forking
|
|
PIDFile=/run/quagga/bgpd.pid
|
|
EnvironmentFile=/etc/sysconfig/quagga
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf
|
|
ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf
|
|
Restart=on-abort
|
|
|
|
--- quagga-1.2.4-orig/redhat/isisd.service
|
|
+++ quagga-1.2.4/redhat/isisd.service
|
|
@@ -23,8 +23,6 @@
|
|
Type=forking
|
|
PIDFile=/run/quagga/isisd.pid
|
|
EnvironmentFile=/etc/sysconfig/quagga
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf
|
|
ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf
|
|
Restart=on-abort
|
|
|
|
--- quagga-1.2.4-orig/redhat/ospf6d.service
|
|
+++ quagga-1.2.4/redhat/ospf6d.service
|
|
@@ -23,8 +23,6 @@
|
|
Type=forking
|
|
PIDFile=/run/quagga/ospf6d.pid
|
|
EnvironmentFile=/etc/sysconfig/quagga
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf
|
|
ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf
|
|
Restart=on-abort
|
|
|
|
--- quagga-1.2.4-orig/redhat/ospfd.service
|
|
+++ quagga-1.2.4/redhat/ospfd.service
|
|
@@ -23,8 +23,6 @@
|
|
Type=forking
|
|
PIDFile=/run/quagga/ospfd.pid
|
|
EnvironmentFile=/etc/sysconfig/quagga
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf
|
|
ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf
|
|
Restart=on-abort
|
|
|
|
--- quagga-1.2.4-orig/redhat/ripd.service
|
|
+++ quagga-1.2.4/redhat/ripd.service
|
|
@@ -23,8 +23,6 @@
|
|
Type=forking
|
|
PIDFile=/run/quagga/ripd.pid
|
|
EnvironmentFile=/etc/sysconfig/quagga
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf
|
|
ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf
|
|
Restart=on-abort
|
|
|
|
--- quagga-1.2.4-orig/redhat/ripngd.service
|
|
+++ quagga-1.2.4/redhat/ripngd.service
|
|
@@ -23,8 +23,6 @@
|
|
Type=forking
|
|
PIDFile=/run/quagga/zebra.pid
|
|
EnvironmentFile=/etc/sysconfig/quagga
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf
|
|
ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf
|
|
Restart=on-abort
|
|
|
|
--- quagga-1.2.4-orig/redhat/zebra.service
|
|
+++ quagga-1.2.4/redhat/zebra.service
|
|
@@ -22,9 +22,6 @@
|
|
PIDFile=/run/quagga/zebra.pid
|
|
EnvironmentFile=-/etc/sysconfig/quagga
|
|
ExecStartPre=/sbin/ip route flush proto zebra
|
|
-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf
|
|
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf
|
|
-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf
|
|
ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf
|
|
Restart=on-abort
|
|
|