From 9a21d8128aa353ee31ba2c54c5abd23a6ae957aa Mon Sep 17 00:00:00 2001 From: Alexey Berezhok Date: Wed, 24 Jan 2024 22:20:37 +0300 Subject: [PATCH] Added additonal check of backup file's owner --- ...icy-also-added-experimental-PAM-genera.patch | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch b/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch index edadc7e..4bae6dc 100644 --- a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch +++ b/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch @@ -1,4 +1,4 @@ -From e5a68f54ac324d218e3b9575eb0a096c8905aaf9 Mon Sep 17 00:00:00 2001 +From 951bd751a2b30d2ada58468fd18f5f550d38e51b Mon Sep 17 00:00:00 2001 From: Alexey Berezhok Date: Tue, 23 Jan 2024 23:01:57 +0300 Subject: [PATCH] Added GOST policy also added experimental PAM generator @@ -26,7 +26,7 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator python/policygenerators/auth.py | 36 +++++ .../fedora-crypto-policies.code-workspace | 0 python/policygenerators/openssl.py | 23 +++ - scripts/auth_apply.sh | 110 +++++++++++++ + scripts/auth_apply.sh | 115 ++++++++++++++ tests/alternative-policies/GOST-ONLY.pol | 30 ++++ tests/alternative-policies/modules/GOST.pmod | 18 +++ tests/gnutls.pl | 2 +- @@ -104,7 +104,7 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator tests/outputs/GOST-ONLY-sequoia.txt | 51 ++++++ tests/outputs/LEGACY-auth.txt | 0 .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 - 100 files changed, 1397 insertions(+), 10 deletions(-) + 100 files changed, 1402 insertions(+), 10 deletions(-) create mode 100644 authselect_policies/sssd_gost/README create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS create mode 100644 authselect_policies/sssd_gost/dconf-db @@ -982,10 +982,10 @@ index 165a26b..75940d8 100644 s += 'Options = RHNoEnforceEMSinFIPS\n' diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh new file mode 100755 -index 0000000..ca5c3dc +index 0000000..0fa7192 --- /dev/null +++ b/scripts/auth_apply.sh -@@ -0,0 +1,110 @@ +@@ -0,0 +1,115 @@ +#!/usr/bin/bash +# Скрипт настройки профиля authselect для crypto-policy +# Примеры запуска: @@ -1062,7 +1062,12 @@ index 0000000..ca5c3dc +# данный снимок создается при профиля через crypto-policy +if [ "$EMPTY" = "1" ];then + if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" ++# Только root может восстанавливать конфигурацию из резервной копии ++# дабыизбежать подлога и восстановления файла, созданного пользователем ++ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") ++ if [ "$OWNER_UID" = "0" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" ++ fi + fi + if [ -z "$TEST" ];then + $AUTH_SELECT_APPLY