targetcli-fb/0002-saveconfig-set-0o600-perms-on-backupfiles.patch

From 1940a17986deaab92e6be395f20ee55dac0ac2bd Mon Sep 17 00:00:00 2001
From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Date: Fri, 29 May 2020 14:51:28 +0530
Subject: [PATCH 2/4] saveconfig: set 0o600 perms on backupfiles

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
---
 targetcli/ui_root.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py
index 26815bd2b8fa..6e99b8cfcb78 100644
--- a/targetcli/ui_root.py
+++ b/targetcli/ui_root.py
@@ -125,12 +125,17 @@ class UIRoot(UINode):
 
         # Save backup if backup dir is empty, or savefile is differnt from recent backup copy
         if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile):
+            mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+            umask = 0o777 ^ mode  # Prevents always downgrading umask to 0
+            umask_original = os.umask(umask)
             try:
                 with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out:
                     shutil.copyfileobj(f_in, f_out)
                     f_out.flush()
             except IOError as ioe:
                 backup_error = ioe.strerror or "Unknown error"
+            finally:
+                os.umask(umask_original)
 
             if backup_error == None:
                 # remove excess backups
-- 
2.26.2
Accepting request 813263 from home:lee_duncan:branches:Base:System - Added 4 upstream commits for CVE-2020-13867 (bsc#1172743), adding patches: * 0001-uds-set-right-permissions-at-bind-time.patch * 0002-saveconfig-set-0o600-perms-on-backupfiles.patch * 0003-saveconfig-set-right-perms-on-backup-dir.patch * 0004-saveconfig-set-right-perms-on-etc-target-dir.patch OBS-URL: https://build.opensuse.org/request/show/813263 OBS-URL: https://build.opensuse.org/package/show/Base:System/targetcli-fb?expand=0&rev=43 2020-06-10 16:50:07 +02:00			`From 1940a17986deaab92e6be395f20ee55dac0ac2bd Mon Sep 17 00:00:00 2001`
			`From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>`
			`Date: Fri, 29 May 2020 14:51:28 +0530`
			`Subject: [PATCH 2/4] saveconfig: set 0o600 perms on backupfiles`

			`Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>`
			`---`
			`targetcli/ui_root.py \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/targetcli/ui_root.py b/targetcli/ui_root.py`
			`index 26815bd2b8fa..6e99b8cfcb78 100644`
			`--- a/targetcli/ui_root.py`
			`+++ b/targetcli/ui_root.py`
			`@@ -125,12 +125,17 @@ class UIRoot(UINode):`

			`# Save backup if backup dir is empty, or savefile is differnt from recent backup copy`
			`if not backed_files_list or not self._compare_files(backed_files_list[-1], savefile):`
			`+ mode = stat.S_IRUSR \| stat.S_IWUSR # 0o600`
			`+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0`
			`+ umask_original = os.umask(umask)`
			`try:`
			`with open(savefile, 'rb') as f_in, gzip.open(backupfile, 'wb') as f_out:`
			`shutil.copyfileobj(f_in, f_out)`
			`f_out.flush()`
			`except IOError as ioe:`
			`backup_error = ioe.strerror or "Unknown error"`
			`+ finally:`
			`+ os.umask(umask_original)`

			`if backup_error == None:`
			`# remove excess backups`
			`--`
			`2.26.2`