You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
83 lines
2.3 KiB
83 lines
2.3 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Wed, 18 Jan 2023 14:00:22 -0500
|
|
Subject: [PATCH] Use normal file permissions instead of ACLs
|
|
|
|
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
|
|
|
|
pesign-authorize is now deprecated and will be removed in a future
|
|
release.
|
|
|
|
Resolves: CVE-2022-3560
|
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
(cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763)
|
|
---
|
|
src/pesign-authorize | 53 +++++-----------------------------------------------
|
|
1 file changed, 5 insertions(+), 48 deletions(-)
|
|
|
|
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
index 83a30cd..b4e89e0 100755
|
|
--- a/src/pesign-authorize
|
|
+++ b/src/pesign-authorize
|
|
@@ -2,55 +2,12 @@
|
|
set -e
|
|
set -u
|
|
|
|
-#
|
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
-# acls for specific users is useful
|
|
-#
|
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
-#
|
|
-
|
|
# License: GPLv2
|
|
-declare -a fileusers=()
|
|
-declare -a dirusers=()
|
|
-for user in $(cat /etc/pesign/users); do
|
|
- dirusers[${#dirusers[@]}]=-m
|
|
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
- fileusers[${#fileusers[@]}]=-m
|
|
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
-done
|
|
-
|
|
-declare -a filegroups=()
|
|
-declare -a dirgroups=()
|
|
-for group in $(cat /etc/pesign/groups); do
|
|
- dirgroups[${#dirgroups[@]}]=-m
|
|
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
- filegroups[${#filegroups[@]}]=-m
|
|
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
-done
|
|
-
|
|
-update_subdir() {
|
|
- subdir=$1 && shift
|
|
|
|
- setfacl -bk "${subdir}"
|
|
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
- for x in "${subdir}"* ; do
|
|
- if [ -d "${x}" ]; then
|
|
- setfacl -bk ${x}
|
|
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
|
- update_subdir "${x}/"
|
|
- elif [ -e "${x}" ]; then
|
|
- setfacl -bk ${x}
|
|
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
|
- else
|
|
- :;
|
|
- fi
|
|
- done
|
|
-}
|
|
+# This script is deprecated and will be removed in a future release.
|
|
|
|
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
|
- if [ -d "${x}" ]; then
|
|
- update_subdir "${x}"
|
|
- else
|
|
- :;
|
|
- fi
|
|
+sleep 3
|
|
+for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
|
|
+ chown -R pesign:pesign "${x}" || true
|
|
+ chmod -R ug+rwX "${x}" || true
|
|
done
|