parent
0aeab9f989
commit
34150a98ee
@ -1 +1 @@
|
|||||||
SOURCES/rpm-ostree-2023.7.tar.xz
|
SOURCES/rpm-ostree-2024.3.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
f1517a7a0d68d59b17694a8baadca6cf30739e7e SOURCES/rpm-ostree-2023.7.tar.xz
|
dc6e0ea9f33f162b5ca2d1ea1cb79ec7f9f7d71c SOURCES/rpm-ostree-2024.3.tar.xz
|
||||||
|
@ -0,0 +1,56 @@
|
|||||||
|
From d02993e30078db2a04820065ccbf22bd56d0d064 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jonathan Lebon <jonathan@jlebon.com>
|
||||||
|
Date: Thu, 22 Feb 2024 14:44:50 -0500
|
||||||
|
Subject: [PATCH] cliwrap/rpm: mark `--eval`/`-E` as safe
|
||||||
|
|
||||||
|
This is sometimes used in scripts to query aspects of the host system.
|
||||||
|
E.g. this is used by Fedora's pkg-config:
|
||||||
|
|
||||||
|
https://src.fedoraproject.org/rpms/pkgconf/blob/95c0bbee/f/pkg-config.in#_6
|
||||||
|
|
||||||
|
This in turn gets hit by kdump which runs dracut which has modules that
|
||||||
|
runs `pkgconf` to query some directory paths.
|
||||||
|
---
|
||||||
|
rust/src/cliwrap/rpm.rs | 19 +++++++++++++++++++
|
||||||
|
1 file changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/rust/src/cliwrap/rpm.rs b/rust/src/cliwrap/rpm.rs
|
||||||
|
index c6ed5901..3332f76c 100644
|
||||||
|
--- a/rust/src/cliwrap/rpm.rs
|
||||||
|
+++ b/rust/src/cliwrap/rpm.rs
|
||||||
|
@@ -19,6 +19,12 @@ fn new_rpm_app() -> Command {
|
||||||
|
.long("version")
|
||||||
|
.action(clap::ArgAction::Version),
|
||||||
|
)
|
||||||
|
+ .arg(
|
||||||
|
+ Arg::new("eval")
|
||||||
|
+ .long("eval")
|
||||||
|
+ .short('E')
|
||||||
|
+ .action(clap::ArgAction::Set),
|
||||||
|
+ )
|
||||||
|
.arg(
|
||||||
|
Arg::new("package")
|
||||||
|
.help("package")
|
||||||
|
@@ -130,6 +136,19 @@ mod tests {
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
+ #[test]
|
||||||
|
+ fn test_eval() -> Result<()> {
|
||||||
|
+ assert_eq!(
|
||||||
|
+ disposition(SystemHostType::OstreeHost, &["-E", "%{_target_cpu}"])?,
|
||||||
|
+ RunDisposition::Ok
|
||||||
|
+ );
|
||||||
|
+ assert_eq!(
|
||||||
|
+ disposition(SystemHostType::OstreeHost, &["--eval=%{_target_cpu}}"])?,
|
||||||
|
+ RunDisposition::Ok
|
||||||
|
+ );
|
||||||
|
+ Ok(())
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#[test]
|
||||||
|
fn test_query_file() -> Result<()> {
|
||||||
|
assert_eq!(
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
@ -0,0 +1,83 @@
|
|||||||
|
From ef2638c1ffd77bc6fd9a80a92c965b06a8f284df Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jonathan Lebon <jonathan@jlebon.com>
|
||||||
|
Date: Tue, 19 Mar 2024 15:20:43 -0400
|
||||||
|
Subject: [PATCH 1/3] passwd: create `/etc/[g]shadow` with mode 0
|
||||||
|
|
||||||
|
Because of how our composes work, we need to manually inject
|
||||||
|
passwd-related things before installing packages. A somewhat recent
|
||||||
|
regression in that area made it so that the `/etc/shadow` and
|
||||||
|
`/etc/gshadow` files were created with default permissions (0644), which
|
||||||
|
meant they were world readable.
|
||||||
|
|
||||||
|
Fix this by explicitly setting their modes to 0. Ideally, we would rely
|
||||||
|
on the canonical permissions set in the `setup` package here, but it's
|
||||||
|
tricky to fix that without reworking how we install `setup` and handle
|
||||||
|
`passwd` treefile options.
|
||||||
|
|
||||||
|
Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
|
||||||
|
`etc/{passwd,group}`").
|
||||||
|
|
||||||
|
Fixes #4401
|
||||||
|
---
|
||||||
|
rust/src/passwd.rs | 14 ++++++++++++++
|
||||||
|
tests/compose/libbasic-test.sh | 5 +++++
|
||||||
|
2 files changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
|
||||||
|
index 821497d8..a64f6468 100644
|
||||||
|
--- a/rust/src/passwd.rs
|
||||||
|
+++ b/rust/src/passwd.rs
|
||||||
|
@@ -418,6 +418,12 @@ fn write_data_from_treefile(
|
||||||
|
let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
|
||||||
|
let shadow_name = target.shadow_file();
|
||||||
|
let target_shadow_path = format!("{}{}", dest_path, shadow_name);
|
||||||
|
+ // Ideally these permissions come from `setup`, which is the package
|
||||||
|
+ // that owns these files:
|
||||||
|
+ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
|
||||||
|
+ // But at this point of the compose, the rootfs is completely empty; we
|
||||||
|
+ // haven't started unpacking things yet. So we need to hardcode it here.
|
||||||
|
+ let shadow_perms = cap_std::fs::Permissions::from_mode(0);
|
||||||
|
|
||||||
|
match target {
|
||||||
|
PasswdKind::User => {
|
||||||
|
@@ -427,6 +433,10 @@ fn write_data_from_treefile(
|
||||||
|
for user in entries {
|
||||||
|
writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
|
||||||
|
}
|
||||||
|
+ target_shadow
|
||||||
|
+ .get_mut()
|
||||||
|
+ .as_file_mut()
|
||||||
|
+ .set_permissions(shadow_perms)?;
|
||||||
|
Ok(())
|
||||||
|
})
|
||||||
|
.with_context(|| format!("Writing {target_shadow_path}"))?;
|
||||||
|
@@ -438,6 +448,10 @@ fn write_data_from_treefile(
|
||||||
|
for group in entries {
|
||||||
|
writeln!(target_shadow, "{}:::", group.name)?;
|
||||||
|
}
|
||||||
|
+ target_shadow
|
||||||
|
+ .get_mut()
|
||||||
|
+ .as_file_mut()
|
||||||
|
+ .set_permissions(shadow_perms)?;
|
||||||
|
Ok(())
|
||||||
|
})
|
||||||
|
.with_context(|| format!("Writing {target_shadow_path}"))?;
|
||||||
|
diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
|
||||||
|
index 78ad72b1..df790e89 100644
|
||||||
|
--- a/tests/compose/libbasic-test.sh
|
||||||
|
+++ b/tests/compose/libbasic-test.sh
|
||||||
|
@@ -22,6 +22,11 @@ validate_passwd group
|
||||||
|
ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
|
||||||
|
assert_file_has_content_literal passwd.txt '00644 '
|
||||||
|
|
||||||
|
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
|
||||||
|
+assert_file_has_content_literal shadow.txt '00000 '
|
||||||
|
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
|
||||||
|
+assert_file_has_content_literal gshadow.txt '00000 '
|
||||||
|
+
|
||||||
|
ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
|
||||||
|
assert_file_has_content_literal useradd.txt HOME=/var/home
|
||||||
|
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,79 @@
|
|||||||
|
From 715298d909551b7d6b42ee6f9c38675f22034dde Mon Sep 17 00:00:00 2001
|
||||||
|
From: jbtrystram <jbtrystram@redhat.com>
|
||||||
|
Date: Thu, 21 Mar 2024 17:27:21 +0100
|
||||||
|
Subject: [PATCH 2/3] unit: chmod /etc/[g]shadow[-] to 0000
|
||||||
|
|
||||||
|
fdb879c introduced a regression where /etc/[g]shadow[-] files where
|
||||||
|
created with default permissions: 0644
|
||||||
|
|
||||||
|
This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
|
||||||
|
before interactive login is allowed on a system.
|
||||||
|
|
||||||
|
This will fix the systems that were deployed with the above issue.
|
||||||
|
|
||||||
|
We keep the stamp in /etc to account for the case where a deployment
|
||||||
|
with this unit is rolled back. If we used /var, the stamp would have
|
||||||
|
stayed but the fix would not be re-applied on the next update.
|
||||||
|
---
|
||||||
|
Makefile-daemon.am | 1 +
|
||||||
|
packaging/rpm-ostree.spec.in | 5 +++++
|
||||||
|
src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
|
||||||
|
3 files changed, 25 insertions(+)
|
||||||
|
create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
|
||||||
|
|
||||||
|
diff --git a/Makefile-daemon.am b/Makefile-daemon.am
|
||||||
|
index 4233d90d..f96f49a9 100644
|
||||||
|
--- a/Makefile-daemon.am
|
||||||
|
+++ b/Makefile-daemon.am
|
||||||
|
@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
|
||||||
|
rpm-ostreed-automatic.service \
|
||||||
|
rpm-ostree-bootstatus.service \
|
||||||
|
rpm-ostree-countme.service \
|
||||||
|
+ rpm-ostree-fix-shadow-mode.service \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
|
||||||
|
diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
|
||||||
|
index e83db7f3..cbe3e031 100644
|
||||||
|
--- a/packaging/rpm-ostree.spec.in
|
||||||
|
+++ b/packaging/rpm-ostree.spec.in
|
||||||
|
@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
|
||||||
|
# Setup rpm-ostree-countme.timer according to presets
|
||||||
|
%post
|
||||||
|
%systemd_post rpm-ostree-countme.timer
|
||||||
|
+# Only enable on rpm-ostree based systems and manually force unit enablement to
|
||||||
|
+# explicitly ignore presets for this security fix
|
||||||
|
+if [ -e /run/ostree-booted ]; then
|
||||||
|
+ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/
|
||||||
|
+fi
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun rpm-ostree-countme.timer
|
||||||
|
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..4aea7462
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
|
||||||
|
@@ -0,0 +1,19 @@
|
||||||
|
+[Unit]
|
||||||
|
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
|
||||||
|
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
|
||||||
|
+Description=Update permissions for /etc/shadow
|
||||||
|
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
|
||||||
|
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
|
||||||
|
+ConditionPathExists=/run/ostree-booted
|
||||||
|
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
|
||||||
|
+Before=systemd-user-sessions.service
|
||||||
|
+
|
||||||
|
+[Service]
|
||||||
|
+Type=oneshot
|
||||||
|
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
|
||||||
|
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
|
||||||
|
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
|
||||||
|
+RemainAfterExit=yes
|
||||||
|
+
|
||||||
|
+[Install]
|
||||||
|
+WantedBy=multi-user.target
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -0,0 +1,314 @@
|
|||||||
|
From 1ec5618144e2d5e76caedba9cdcddb2d7ca1d8f7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Fri, 12 Apr 2024 12:59:54 -0400
|
||||||
|
Subject: [PATCH 3/3] shadow: Adjust all deployments
|
||||||
|
|
||||||
|
It was pointed out that in the previous change here we missed
|
||||||
|
the fact that the previous deployments were accessible.
|
||||||
|
|
||||||
|
- Move the logic into Rust, adding unit tests
|
||||||
|
- Change the code to iterate over all deployments
|
||||||
|
- Add an integration test too
|
||||||
|
|
||||||
|
Note: A likely future enhancement here will be to finally
|
||||||
|
deny unprivileged access to non-default roots; cc
|
||||||
|
https://github.com/ostreedev/ostree/issues/3211
|
||||||
|
---
|
||||||
|
rust/src/lib.rs | 2 +-
|
||||||
|
rust/src/main.rs | 1 +
|
||||||
|
rust/src/passwd.rs | 124 ++++++++++++++++++
|
||||||
|
src/daemon/rpm-ostree-fix-shadow-mode.service | 12 +-
|
||||||
|
tests/kolainst/destructive/shadow | 80 +++++++++++
|
||||||
|
5 files changed, 214 insertions(+), 5 deletions(-)
|
||||||
|
create mode 100755 tests/kolainst/destructive/shadow
|
||||||
|
|
||||||
|
diff --git a/rust/src/lib.rs b/rust/src/lib.rs
|
||||||
|
index e244158b..a65e669b 100644
|
||||||
|
--- a/rust/src/lib.rs
|
||||||
|
+++ b/rust/src/lib.rs
|
||||||
|
@@ -979,7 +979,7 @@ mod normalization;
|
||||||
|
mod origin;
|
||||||
|
mod ostree_prepareroot;
|
||||||
|
pub(crate) use self::origin::*;
|
||||||
|
-mod passwd;
|
||||||
|
+pub mod passwd;
|
||||||
|
use passwd::*;
|
||||||
|
mod console_progress;
|
||||||
|
pub(crate) use self::console_progress::*;
|
||||||
|
diff --git a/rust/src/main.rs b/rust/src/main.rs
|
||||||
|
index 5a3c04d0..bf10d45d 100644
|
||||||
|
--- a/rust/src/main.rs
|
||||||
|
+++ b/rust/src/main.rs
|
||||||
|
@@ -28,6 +28,7 @@ async fn inner_async_main(args: Vec<String>) -> Result<i32> {
|
||||||
|
match *arg {
|
||||||
|
// Add custom Rust commands here, and also in `libmain.cxx` if user-visible.
|
||||||
|
"countme" => rpmostree_rust::countme::entrypoint(args).map(|_| 0),
|
||||||
|
+ "fix-shadow-perms" => rpmostree_rust::passwd::fix_shadow_perms_entrypoint(args).map(|_| 0),
|
||||||
|
"cliwrap" => rpmostree_rust::cliwrap::entrypoint(args).map(|_| 0),
|
||||||
|
// A hidden wrapper to intercept some binaries in RPM scriptlets.
|
||||||
|
"scriptlet-intercept" => builtins::scriptlet_intercept::entrypoint(args).map(|_| 0),
|
||||||
|
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
|
||||||
|
index a64f6468..f0a6da31 100644
|
||||||
|
--- a/rust/src/passwd.rs
|
||||||
|
+++ b/rust/src/passwd.rs
|
||||||
|
@@ -30,6 +30,10 @@ const DEFAULT_MODE: u32 = 0o644;
|
||||||
|
static DEFAULT_PERMS: Lazy<Permissions> = Lazy::new(|| Permissions::from_mode(DEFAULT_MODE));
|
||||||
|
static PWGRP_SHADOW_FILES: &[&str] = &["shadow", "gshadow", "subuid", "subgid"];
|
||||||
|
static USRLIB_PWGRP_FILES: &[&str] = &["passwd", "group"];
|
||||||
|
+// This stamp file signals the original fix which only changed the booted deployment
|
||||||
|
+const SHADOW_MODE_FIXED_STAMP_OLD: &str = "etc/.rpm-ostree-shadow-mode-fixed.stamp";
|
||||||
|
+// And this one is written by the newer logic that changes all deployments
|
||||||
|
+const SHADOW_MODE_FIXED_STAMP: &str = "etc/.rpm-ostree-shadow-mode-fixed2.stamp";
|
||||||
|
|
||||||
|
// Lock/backup files that should not be in the base commit (TODO fix).
|
||||||
|
static PWGRP_LOCK_AND_BACKUP_FILES: &[&str] = &[
|
||||||
|
@@ -363,6 +367,86 @@ impl PasswdKind {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/// Due to a prior bug, the build system had some deployments with a world-readable
|
||||||
|
+/// shadow file. This fixes a given deployment.
|
||||||
|
+#[context("Fixing shadow permissions")]
|
||||||
|
+pub(crate) fn fix_shadow_perms_in_root(root: &Dir) -> Result<bool> {
|
||||||
|
+ let zero_perms = Permissions::from_mode(0);
|
||||||
|
+ let mut changed = false;
|
||||||
|
+ for path in ["etc/shadow", "etc/shadow-", "etc/gshadow", "etc/gshadow-"] {
|
||||||
|
+ let metadata = if let Some(meta) = root
|
||||||
|
+ .symlink_metadata_optional(path)
|
||||||
|
+ .context("Querying metadata")?
|
||||||
|
+ {
|
||||||
|
+ meta
|
||||||
|
+ } else {
|
||||||
|
+ tracing::debug!("No path {path}");
|
||||||
|
+ continue;
|
||||||
|
+ };
|
||||||
|
+ let mode = metadata.mode() & !libc::S_IFMT;
|
||||||
|
+ // Don't touch the file if it's already correct
|
||||||
|
+ if mode == 0 {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ let f = root.open(path).with_context(|| format!("Opening {path}"))?;
|
||||||
|
+ f.set_permissions(zero_perms.clone())
|
||||||
|
+ .with_context(|| format!("chmod: {path}"))?;
|
||||||
|
+ println!("Adjusted mode for {path}");
|
||||||
|
+ changed = true;
|
||||||
|
+ }
|
||||||
|
+ // Write our stamp file
|
||||||
|
+ root.write(SHADOW_MODE_FIXED_STAMP, "")
|
||||||
|
+ .context(SHADOW_MODE_FIXED_STAMP)?;
|
||||||
|
+ // And clean up the old one
|
||||||
|
+ root.remove_file_optional(SHADOW_MODE_FIXED_STAMP_OLD)
|
||||||
|
+ .with_context(|| format!("Removing old {SHADOW_MODE_FIXED_STAMP_OLD}"))?;
|
||||||
|
+ Ok(changed)
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/// Due to a prior bug, the build system had some deployments with a world-readable
|
||||||
|
+/// shadow file. This fixes all deployments.
|
||||||
|
+pub(crate) fn fix_shadow_perms_in_sysroot(sysroot: &ostree::Sysroot) -> Result<bool> {
|
||||||
|
+ let deployments = sysroot.deployments();
|
||||||
|
+ // TODO add a nicer api for this to ostree-rs
|
||||||
|
+ let sysroot_fd =
|
||||||
|
+ Dir::reopen_dir(unsafe { &std::os::fd::BorrowedFd::borrow_raw(sysroot.fd()) })?;
|
||||||
|
+ let mut changed = false;
|
||||||
|
+ for deployment in deployments {
|
||||||
|
+ let path = sysroot.deployment_dirpath(&deployment);
|
||||||
|
+ let dir = sysroot_fd.open_dir(&path)?;
|
||||||
|
+ if fix_shadow_perms_in_root(&dir)
|
||||||
|
+ .with_context(|| format!("Deployment index={}", deployment.index()))?
|
||||||
|
+ {
|
||||||
|
+ println!(
|
||||||
|
+ "Adjusted shadow files in deployment index={} {}.{}",
|
||||||
|
+ deployment.index(),
|
||||||
|
+ deployment.csum(),
|
||||||
|
+ deployment.bootserial()
|
||||||
|
+ );
|
||||||
|
+ changed = true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ Ok(changed)
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/// The main entrypoint for updating /etc/{,g}shadow permissions across
|
||||||
|
+/// all deployments.
|
||||||
|
+pub fn fix_shadow_perms_entrypoint(_args: &[&str]) -> Result<()> {
|
||||||
|
+ let cancellable = gio::Cancellable::NONE;
|
||||||
|
+ let sysroot = ostree::Sysroot::new_default();
|
||||||
|
+ sysroot.set_mount_namespace_in_use();
|
||||||
|
+ sysroot.lock()?;
|
||||||
|
+ sysroot.load(cancellable)?;
|
||||||
|
+ let changed = fix_shadow_perms_in_sysroot(&sysroot)?;
|
||||||
|
+ if changed {
|
||||||
|
+ // We already printed per deployment, so this one is just
|
||||||
|
+ // a debug-level log.
|
||||||
|
+ tracing::debug!("Updated shadow/gshadow permissions");
|
||||||
|
+ }
|
||||||
|
+ sysroot.unlock();
|
||||||
|
+ Ok(())
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
// This function writes the static passwd/group data from the treefile to the
|
||||||
|
// target root filesystem.
|
||||||
|
fn write_data_from_treefile(
|
||||||
|
@@ -1070,3 +1154,43 @@ impl PasswdEntries {
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+#[test]
|
||||||
|
+fn test_shadow_perms() -> Result<()> {
|
||||||
|
+ let root = &cap_tempfile::tempdir(cap_std::ambient_authority())?;
|
||||||
|
+ root.create_dir("etc")?;
|
||||||
|
+ root.write("etc/shadow", "some shadow")?;
|
||||||
|
+ root.write("etc/gshadow", "some gshadow")?;
|
||||||
|
+ root.set_permissions("etc/gshadow", Permissions::from_mode(0))?;
|
||||||
|
+
|
||||||
|
+ assert!(fix_shadow_perms_in_root(root)?);
|
||||||
|
+ assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?);
|
||||||
|
+ assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?);
|
||||||
|
+ // Verify idempotence
|
||||||
|
+ assert!(!fix_shadow_perms_in_root(root)?);
|
||||||
|
+ assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?);
|
||||||
|
+ assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?);
|
||||||
|
+
|
||||||
|
+ Ok(())
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#[test]
|
||||||
|
+/// Verify the scenario of updating from a previously fixed root
|
||||||
|
+fn test_shadow_perms_from_orig_fix() -> Result<()> {
|
||||||
|
+ let root = &cap_tempfile::tempdir(cap_std::ambient_authority())?;
|
||||||
|
+ root.create_dir("etc")?;
|
||||||
|
+ root.write("etc/shadow", "some shadow")?;
|
||||||
|
+ root.set_permissions("etc/shadow", Permissions::from_mode(0))?;
|
||||||
|
+ root.write("etc/gshadow", "some gshadow")?;
|
||||||
|
+ root.set_permissions("etc/gshadow", Permissions::from_mode(0))?;
|
||||||
|
+ // Write the original stamp file
|
||||||
|
+ root.write(SHADOW_MODE_FIXED_STAMP_OLD, "")?;
|
||||||
|
+
|
||||||
|
+ // No changes
|
||||||
|
+ assert!(!fix_shadow_perms_in_root(root)?);
|
||||||
|
+ // Except we should have updated to the new stamp file
|
||||||
|
+ assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?);
|
||||||
|
+ assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?);
|
||||||
|
+
|
||||||
|
+ Ok(())
|
||||||
|
+}
|
||||||
|
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
|
||||||
|
index 4aea7462..121bc74e 100644
|
||||||
|
--- a/src/daemon/rpm-ostree-fix-shadow-mode.service
|
||||||
|
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
|
||||||
|
@@ -3,17 +3,21 @@
|
||||||
|
# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
|
||||||
|
Description=Update permissions for /etc/shadow
|
||||||
|
Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
|
||||||
|
-ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
|
||||||
|
+# This new stamp file is written by the Rust code, and obsoletes
|
||||||
|
+# the old /etc/.rpm-ostree-shadow-mode-fixed.stamp
|
||||||
|
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed2.stamp
|
||||||
|
ConditionPathExists=/run/ostree-booted
|
||||||
|
+# Because we read the sysroot
|
||||||
|
+RequiresMountsFor=/boot
|
||||||
|
# Make sure this is started before any unprivileged (interactive) user has access to the system.
|
||||||
|
Before=systemd-user-sessions.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
-ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
|
||||||
|
-ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
|
||||||
|
-ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
|
||||||
|
+ExecStart=rpm-ostree fix-shadow-perms
|
||||||
|
RemainAfterExit=yes
|
||||||
|
+# So we can remount /sysroot writable in our own namespace
|
||||||
|
+MountFlags=slave
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
diff --git a/tests/kolainst/destructive/shadow b/tests/kolainst/destructive/shadow
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000..7caf84c0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/kolainst/destructive/shadow
|
||||||
|
@@ -0,0 +1,80 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+#
|
||||||
|
+# Copyright (C) 2024 Red Hat Inc.
|
||||||
|
+#
|
||||||
|
+# This library is free software; you can redistribute it and/or
|
||||||
|
+# modify it under the terms of the GNU Lesser General Public
|
||||||
|
+# License as published by the Free Software Foundation; either
|
||||||
|
+# version 2 of the License, or (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This library is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+# Lesser General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU Lesser General Public
|
||||||
|
+# License along with this library; if not, write to the
|
||||||
|
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
||||||
|
+# Boston, MA 02111-1307, USA.
|
||||||
|
+
|
||||||
|
+set -euo pipefail
|
||||||
|
+
|
||||||
|
+. ${KOLA_EXT_DATA}/libtest.sh
|
||||||
|
+
|
||||||
|
+set -x
|
||||||
|
+
|
||||||
|
+cd $(mktemp -d)
|
||||||
|
+
|
||||||
|
+service=rpm-ostree-fix-shadow-mode.service
|
||||||
|
+stamp=/etc/.rpm-ostree-shadow-mode-fixed2.stamp
|
||||||
|
+
|
||||||
|
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
|
||||||
|
+"")
|
||||||
|
+
|
||||||
|
+libtest_prepare_fully_offline
|
||||||
|
+libtest_enable_repover 0
|
||||||
|
+
|
||||||
|
+systemctl status ${service} || true
|
||||||
|
+rm -vf /etc/.rpm-ostree-shadow-mode*
|
||||||
|
+chmod 0644 /etc/gshadow
|
||||||
|
+
|
||||||
|
+# Verify running the service once fixes things
|
||||||
|
+systemctl restart $service
|
||||||
|
+assert_has_file "${stamp}"
|
||||||
|
+assert_streq "$(stat -c '%f' /etc/gshadow)" 8000
|
||||||
|
+
|
||||||
|
+# Now *undo* the fix, so that the current (then old) deployment
|
||||||
|
+# is broken still, and ensure after reboot that it's fixed
|
||||||
|
+# in both.
|
||||||
|
+
|
||||||
|
+chmod 0644 /etc/gshadow
|
||||||
|
+rm -vf /etc/.rpm-ostree*
|
||||||
|
+
|
||||||
|
+booted_commit=$(rpm-ostree status --json | jq -r '.deployments[0].checksum')
|
||||||
|
+ostree refs ${booted_commit} --create vmcheck2
|
||||||
|
+rpm-ostree rebase :vmcheck2
|
||||||
|
+
|
||||||
|
+/tmp/autopkgtest-reboot "1"
|
||||||
|
+;;
|
||||||
|
+"1")
|
||||||
|
+
|
||||||
|
+systemctl status $service
|
||||||
|
+assert_has_file "${stamp}"
|
||||||
|
+
|
||||||
|
+verified=0
|
||||||
|
+for f in $(ls /ostree/deploy/*/deploy/*/etc/{,g}shadow{,-}); do
|
||||||
|
+ verified=$(($verified + 1))
|
||||||
|
+ assert_streq "$(stat -c '%f' $f)" 8000
|
||||||
|
+ echo "ok ${f}"
|
||||||
|
+done
|
||||||
|
+assert_streq "$verified" 8
|
||||||
|
+
|
||||||
|
+journalctl -b -u $service --grep="Adjusted shadow files in deployment" | tee out.txt
|
||||||
|
+assert_streq "$(wc -l < out.txt)" 2
|
||||||
|
+
|
||||||
|
+echo "ok shadow"
|
||||||
|
+
|
||||||
|
+;;
|
||||||
|
+*) echo "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}"; exit 1;;
|
||||||
|
+
|
||||||
|
+esac
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
Loading…
Reference in new issue