SHA256
1
0
forked from pool/frr
frr/0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
Martin Hauke 729276ccdc Accepting request 1035289 from home:mtomaschewski:branches:network
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
  file to vendor specific directory /usr/etc/logrotate.d and added
  saving of user changed configuration files in /etc and restoring
  them while an RPM update.
- Declare root as sufficient also in the pam account verification;
  without vtysh use causes to log a pam frr:account warnings
  (https://github.com/FRRouting/frr/pull/12308)
  [+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
  (https://github.com/FRRouting/frr/pull/12307)
  [+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
  from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
  https://github.com/FRRouting/frr/pull/12157).
  [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
  [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
   - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
   - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
   - 0006-isisd-fix-10505-using-base64-encoding.patch,
   - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
   - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
  * New BGP command (neighbor PEER soo) to configure SoO to prevent
    routing loops and suboptimal routing on dual-homed sites.
  * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
    because previously we allowed using martian next-hops when debug is
    turned on.
  * Implement BGP Prefix Origin Validation State Extended Community rfc8097
  *  Implement Route Leak Prevention and Detection Using Roles in UPDATE

OBS-URL: https://build.opensuse.org/request/show/1035289
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=43
2022-11-15 14:31:19 +00:00

94 lines
3.3 KiB
Diff

From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 20 Oct 2022 09:10:22 +0300
References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157
Upstream: submitted
Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race
conditions
This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124
install/chown is in most cases (as I tested) is enough, but still, can be racy.
Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this.
For Linux `runuser` can be used, but *BSD do not have this command.
Proof of concept:
```
% sudo su - frr
[sudo] password for donatas:
su: warning: cannot change directory to /nonexistent: No such file or directory
frr@donatas-laptop:/home/donatas$ cd /etc/frr/
frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf
Setting up watches.
Watches established.
./ CREATE zebra.conf
frr@donatas-laptop:/etc/frr$ ls -la zebra.conf
lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow
frr@donatas-laptop:/etc/frr$ cat zebra.conf
cat: zebra.conf: Permission denied
frr@donatas-laptop:/etc/frr$
```
On the other terminal do:
```
/usr/lib/frr/frrinit.sh restart
```
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
diff --git a/tools/frr.in b/tools/frr.in
index e9f1122834..5f3f425a1e 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -96,10 +96,10 @@ check_daemon()
# check for config file
if [ -n "$2" ]; then
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\""
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\""
fi
fi
return 0
@@ -524,7 +524,7 @@ convert_daemon_prios
if [ ! -d $V_PATH ]; then
echo "Creating $V_PATH"
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 61f1abb378..4d5d688d57 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -143,7 +143,7 @@ daemon_prep() {
cfg="$C_PATH/$daemon${inst:+-$inst}.conf"
if [ ! -r "$cfg" ]; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\""
fi
return 0
}
@@ -161,7 +161,7 @@ daemon_start() {
[ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
- install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
+ su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
chmod gu+x "${V_PATH}"
fi
--
2.35.3