File pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch of Package pesign.31455
From c530ff9bf7f5532c0c3007d950c9a6e42e1c907e Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 10:13:01 +0800
Subject: [PATCH] Use normal file permissions instead of ACLs
Fixes a symlink attack that can't be mitigated using getfacl/setfacl
Use pesign-authorize from upstream d8a8c259994d0278c59b30b41758a8dd0abff998
---
src/Makefile | 3 +--
src/pesign-authorize | 13 +++++++++++++
src/pesign-authorize-groups | 30 ------------------------------
src/pesign-authorize-users | 30 ------------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 16 insertions(+), 66 deletions(-)
create mode 100644 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 8a82f52..e183fd3 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -88,8 +88,7 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100644
index 0000000..c986b02
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+set -u
+
+# License: GPLv2
+
+# This script is deprecated and will be removed in a future release.
+
+sleep 3
+for x in /run/pesign/ /etc/pki/pesign/ ; do
+ chown -R pesign:pesign "${x}" || true
+ chmod -R ug+rwX "${x}" || true
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index 5d3e050..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /run/pesign ]; then
- setfacl -m g:${group}:rx /run/pesign
- if [ -e /run/pesign/socket ]; then
- setfacl -m g:${group}:rw /run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign* ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index dceed3c..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /run/pesign ]; then
- setfacl -m g:${username}:rx /run/pesign
- if [ -e /run/pesign/socket ]; then
- setfacl -m g:${username}:rw /run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign* ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index e1c2282..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index 5459723..95d378d 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){
--
2.35.3