|
 |
65f427 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
65f427 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
65f427 |
Date: Wed, 18 Jan 2023 14:00:22 -0500
|
|
|
65f427 |
Subject: [PATCH] Use normal file permissions instead of ACLs
|
|
|
65f427 |
|
|
|
65f427 |
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
|
|
|
65f427 |
|
|
|
65f427 |
pesign-authorize is now deprecated and will be removed in a future
|
|
|
65f427 |
release.
|
|
|
65f427 |
|
|
|
65f427 |
Resolves: CVE-2022-3560
|
|
|
65f427 |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
65f427 |
(cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763)
|
|
|
65f427 |
---
|
|
|
65f427 |
src/pesign-authorize | 53 +++++-----------------------------------------------
|
|
|
65f427 |
1 file changed, 5 insertions(+), 48 deletions(-)
|
|
|
65f427 |
|
|
|
65f427 |
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
|
65f427 |
index 83a30cd..b4e89e0 100755
|
|
|
65f427 |
--- a/src/pesign-authorize
|
|
|
65f427 |
+++ b/src/pesign-authorize
|
|
|
65f427 |
@@ -2,55 +2,12 @@
|
|
|
65f427 |
set -e
|
|
|
65f427 |
set -u
|
|
|
65f427 |
|
|
|
65f427 |
-#
|
|
|
65f427 |
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
65f427 |
-# acls for specific users is useful
|
|
|
65f427 |
-#
|
|
|
65f427 |
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
|
65f427 |
-#
|
|
|
65f427 |
-
|
|
|
65f427 |
# License: GPLv2
|
|
|
65f427 |
-declare -a fileusers=()
|
|
|
65f427 |
-declare -a dirusers=()
|
|
|
65f427 |
-for user in $(cat /etc/pesign/users); do
|
|
|
65f427 |
- dirusers[${#dirusers[@]}]=-m
|
|
|
65f427 |
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
|
65f427 |
- fileusers[${#fileusers[@]}]=-m
|
|
|
65f427 |
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
|
65f427 |
-done
|
|
|
65f427 |
-
|
|
|
65f427 |
-declare -a filegroups=()
|
|
|
65f427 |
-declare -a dirgroups=()
|
|
|
65f427 |
-for group in $(cat /etc/pesign/groups); do
|
|
|
65f427 |
- dirgroups[${#dirgroups[@]}]=-m
|
|
|
65f427 |
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
|
65f427 |
- filegroups[${#filegroups[@]}]=-m
|
|
|
65f427 |
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
|
65f427 |
-done
|
|
|
65f427 |
-
|
|
|
65f427 |
-update_subdir() {
|
|
|
65f427 |
- subdir=$1 && shift
|
|
|
65f427 |
|
|
|
65f427 |
- setfacl -bk "${subdir}"
|
|
|
65f427 |
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
|
65f427 |
- for x in "${subdir}"* ; do
|
|
|
65f427 |
- if [ -d "${x}" ]; then
|
|
|
65f427 |
- setfacl -bk ${x}
|
|
|
65f427 |
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
|
|
65f427 |
- update_subdir "${x}/"
|
|
|
65f427 |
- elif [ -e "${x}" ]; then
|
|
|
65f427 |
- setfacl -bk ${x}
|
|
|
65f427 |
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
|
|
65f427 |
- else
|
|
|
65f427 |
- :;
|
|
|
65f427 |
- fi
|
|
|
65f427 |
- done
|
|
|
65f427 |
-}
|
|
|
65f427 |
+# This script is deprecated and will be removed in a future release.
|
|
|
65f427 |
|
|
|
65f427 |
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
|
|
65f427 |
- if [ -d "${x}" ]; then
|
|
|
65f427 |
- update_subdir "${x}"
|
|
|
65f427 |
- else
|
|
|
65f427 |
- :;
|
|
|
65f427 |
- fi
|
|
|
65f427 |
+sleep 3
|
|
|
65f427 |
+for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
|
|
|
65f427 |
+ chown -R pesign:pesign "${x}" || true
|
|
|
65f427 |
+ chmod -R ug+rwX "${x}" || true
|
|
|
65f427 |
done
|