|
|
043c42 |
From 0d83637769b8a122b1e80f2e960ea1bbae8b4f10 Mon Sep 17 00:00:00 2001
|
|
|
043c42 |
Message-Id: <0d83637769b8a122b1e80f2e960ea1bbae8b4f10.1540199566.git.pmatilai@redhat.com>
|
|
|
043c42 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
|
043c42 |
Date: Mon, 22 Oct 2018 10:52:39 +0300
|
|
|
043c42 |
Subject: [PATCH] Fix nasty --setperms/--setugids regression in 4.14.2 (RhBug:
|
|
|
043c42 |
1640470)
|
|
|
043c42 |
|
|
|
043c42 |
Commit 38c2f6e160d5ed3e9c3a266139c7eb2632724c15 causes --setperms and
|
|
|
043c42 |
--setugids follow symlinks instead of skipping them.
|
|
|
043c42 |
|
|
|
043c42 |
In case of --setperms, all encountered symlinks will have their
|
|
|
043c42 |
target file/directory permissions set to the 0777 of the link itself
|
|
|
043c42 |
(so world writable etc but suid/sgid stripped), temporarily or permanently,
|
|
|
043c42 |
depending on whether the symlink occurs before or after it's target in the
|
|
|
043c42 |
package file list. When the link occurs before its target, there's a short
|
|
|
043c42 |
window where the target is world writable before having it's permissions
|
|
|
043c42 |
reset to original, making it particularly bad for suid/sgid binaries.
|
|
|
043c42 |
|
|
|
043c42 |
--setugids is similarly affected with link targets owner/group changing
|
|
|
043c42 |
to that of the symlink.
|
|
|
043c42 |
|
|
|
043c42 |
Add missing parentheses to the conditions introduced in commit
|
|
|
043c42 |
38c2f6e160d5ed3e9c3a266139c7eb2632724c15 to fix.
|
|
|
043c42 |
Reported by Karel Srot, patch by Pavlina Moravcova Varekova.
|
|
|
043c42 |
---
|
|
|
043c42 |
rpmpopt.in | 4 ++--
|
|
|
043c42 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
043c42 |
|
|
|
043c42 |
diff --git a/rpmpopt.in b/rpmpopt.in
|
|
|
043c42 |
index 8aaa91f11..42d3416a3 100644
|
|
|
043c42 |
--- a/rpmpopt.in
|
|
|
043c42 |
+++ b/rpmpopt.in
|
|
|
043c42 |
@@ -44,14 +44,14 @@ rpm alias --scripts --qf '\
|
|
|
043c42 |
--POPTdesc=$"list install/erase scriptlets from package(s)"
|
|
|
043c42 |
|
|
|
043c42 |
rpm alias --setperms -q --qf '[\[ -L %{FILENAMES:shescape} \] || \
|
|
|
043c42 |
- \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] || \
|
|
|
043c42 |
+ ( \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] ) || \
|
|
|
043c42 |
chmod %7{FILEMODES:octal} %{FILENAMES:shescape}\n]' \
|
|
|
043c42 |
--pipe "grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' | sh" \
|
|
|
043c42 |
--POPTdesc=$"set permissions of files in a package"
|
|
|
043c42 |
|
|
|
043c42 |
rpm alias --setugids -q --qf \
|
|
|
043c42 |
'[ch %{FILEUSERNAME:shescape} %{FILEGROUPNAME:shescape} %{FILENAMES:shescape} %{FILEFLAGS}\n]' \
|
|
|
043c42 |
- --pipe "(echo 'ch() { \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] || \
|
|
|
043c42 |
+ --pipe "(echo 'ch() { ( \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] ) || \
|
|
|
043c42 |
(chown -h -- \"$1\" \"$3\";chgrp -h -- \"$2\" \"$3\";) }'; \
|
|
|
043c42 |
grep '^ch '|grep -v \(none\))|sh" \
|
|
|
043c42 |
--POPTdesc=$"set user/group ownership of files in a package"
|
|
|
043c42 |
--
|
|
|
043c42 |
2.17.2
|
|
|
043c42 |
|