forked from pool/pesign
88fb4f57d3
- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch to use the normal file permissions in pesign-authorize to avoid the potential security issue (bsc#1202933, CVE-2022-3560) - Set the libexecdir path for "make" to fix the path to pesign-authorize in pesign.service (bsc#1202933) - Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make the default NSS datebase writeable (bsc#1202933) OBS-URL: https://build.opensuse.org/request/show/1063580 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=68
82 lines
2.3 KiB
Diff
82 lines
2.3 KiB
Diff
From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Wed, 18 Jan 2023 14:00:22 -0500
|
|
Subject: [PATCH] Use normal file permissions instead of ACLs
|
|
|
|
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
|
|
|
|
pesign-authorize is now deprecated and will be removed in a future
|
|
release.
|
|
|
|
Resolves: CVE-2022-3560
|
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
---
|
|
src/pesign-authorize | 53 +++++---------------------------------------
|
|
1 file changed, 5 insertions(+), 48 deletions(-)
|
|
|
|
Index: pesign-113/src/pesign-authorize
|
|
===================================================================
|
|
--- pesign-113.orig/src/pesign-authorize
|
|
+++ pesign-113/src/pesign-authorize
|
|
@@ -2,55 +2,12 @@
|
|
set -e
|
|
set -u
|
|
|
|
-#
|
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
-# acls for specific users is useful
|
|
-#
|
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
-#
|
|
-
|
|
# License: GPLv2
|
|
-declare -a fileusers=()
|
|
-declare -a dirusers=()
|
|
-for user in $(cat /etc/pesign/users); do
|
|
- dirusers[${#dirusers[@]}]=-m
|
|
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
- fileusers[${#fileusers[@]}]=-m
|
|
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
-done
|
|
-
|
|
-declare -a filegroups=()
|
|
-declare -a dirgroups=()
|
|
-for group in $(cat /etc/pesign/groups); do
|
|
- dirgroups[${#dirgroups[@]}]=-m
|
|
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
- filegroups[${#filegroups[@]}]=-m
|
|
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
-done
|
|
-
|
|
-update_subdir() {
|
|
- subdir=$1 && shift
|
|
|
|
- setfacl -bk "${subdir}"
|
|
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
- for x in "${subdir}"* ; do
|
|
- if [ -d "${x}" ]; then
|
|
- setfacl -bk ${x}
|
|
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
|
- update_subdir "${x}/"
|
|
- elif [ -e "${x}" ]; then
|
|
- setfacl -bk ${x}
|
|
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
|
- else
|
|
- :;
|
|
- fi
|
|
- done
|
|
-}
|
|
+# This script is deprecated and will be removed in a future release.
|
|
|
|
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
|
- if [ -d "${x}" ]; then
|
|
- update_subdir "${x}"
|
|
- else
|
|
- :;
|
|
- fi
|
|
+sleep 3
|
|
+for x in /run/pesign/ /etc/pki/pesign/ ; do
|
|
+ chown -R pesign:pesign "${x}" || true
|
|
+ chmod -R ug+rwX "${x}" || true
|
|
done
|