From 3371584d027645412cb65a23e7a88c3e6a882df3 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Apr 20 2021 08:29:24 +0000 Subject: Fix incorrect permissions on kdump dmesg file Resolves: rhbz#1938165 Upstream: fedora Conflict: none commit 91c802ff526a0aa0618f6d5c282a9b9b8e41bff8 Author: Tao Liu Date: Thu Mar 18 16:52:46 2021 +0800 Fix incorrect permissions on kdump dmesg file Also known as CVE-2021-20269. The kdump dmesg log files(kexec-dmesg.log, vmcore-dmesg.txt) are generated by shell redirection, which take the default umask value, making the files readable for group and others. This patch chmod these files, making them only accessible to owner. Signed-off-by: Tao Liu Acked-by: Kairui Song Signed-off-by: Tao Liu --- diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index 21143b4..8316589 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -849,6 +849,7 @@ install() { inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg" inst "/usr/bin/printf" "/sbin/printf" inst "/usr/bin/logger" "/sbin/logger" + inst "/usr/bin/chmod" "/sbin/chmod" inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh" inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh" inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh" diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh index 86065be..5cb0223 100755 --- a/kdump-lib-initramfs.sh +++ b/kdump-lib-initramfs.sh @@ -111,6 +111,7 @@ save_log() if command -v journalctl > /dev/null; then journalctl -ab >> $KDUMP_LOG_FILE fi + chmod 600 $KDUMP_LOG_FILE } # dump_fs @@ -178,6 +179,7 @@ save_vmcore_dmesg_fs() { _exitcode=$? if [ $_exitcode -eq 0 ]; then mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt + chmod 600 ${_path}/vmcore-dmesg.txt # Make sure file is on disk. There have been instances where later # saving vmcore failed and system rebooted without sync and there