Overview

File pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch of Package pesign.31455

From c530ff9bf7f5532c0c3007d950c9a6e42e1c907e Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 10:13:01 +0800
Subject: [PATCH] Use normal file permissions instead of ACLs

Fixes a symlink attack that can't be mitigated using getfacl/setfacl

Use pesign-authorize from upstream d8a8c259994d0278c59b30b41758a8dd0abff998
---
 src/Makefile                |  3 +--
 src/pesign-authorize        | 13 +++++++++++++
 src/pesign-authorize-groups | 30 ------------------------------
 src/pesign-authorize-users  | 30 ------------------------------
 src/pesign.service.in       |  3 +--
 src/pesign.sysvinit.in      |  3 +--
 6 files changed, 16 insertions(+), 66 deletions(-)
 create mode 100644 src/pesign-authorize
 delete mode 100644 src/pesign-authorize-groups
 delete mode 100644 src/pesign-authorize-users

diff --git a/src/Makefile b/src/Makefile
index 8a82f52..e183fd3 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -88,8 +88,7 @@ install :
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
-	$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
-	$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
 	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
 	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100644
index 0000000..c986b02
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+set -u
+
+# License: GPLv2
+
+# This script is deprecated and will be removed in a future release.
+
+sleep 3
+for x in /run/pesign/ /etc/pki/pesign/ ; do
+	chown -R pesign:pesign "${x}" || true
+	chmod -R ug+rwX "${x}" || true
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index 5d3e050..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
-    for group in $(cat /etc/pesign/groups); do
-	if [ -d /run/pesign ]; then
-	    setfacl -m g:${group}:rx /run/pesign
-	    if [ -e /run/pesign/socket ]; then
-		setfacl -m g:${group}:rw /run/pesign/socket
-	    fi
-	fi
-	for x in /etc/pki/pesign* ; do
-	    if [ -d ${x} ]; then
-		setfacl -m g:${group}:rx /etc/pki/pesign
-		for y in ${x}/{cert8,key3,secmod}.db ; do
-		    setfacl -m g:${group}:rw ${y}
-		done
-	    fi
-	done
-    done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index dceed3c..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
-    for username in $(cat /etc/pesign/users); do
-	if [ -d /run/pesign ]; then
-	    setfacl -m g:${username}:rx /run/pesign
-	    if [ -e /run/pesign/socket ]; then
-		setfacl -m g:${username}:rw /run/pesign/socket
-	    fi
-	fi
-	for x in /etc/pki/pesign* ; do
-	    if [ -d ${x} ]; then
-		setfacl -m g:${username}:rx /etc/pki/pesign
-		for y in ${x}/{cert8,key3,secmod}.db ; do
-		    setfacl -m g:${username}:rw ${y}
-		done
-	    fi
-	done
-    done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index e1c2282..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
 Type=forking
 PIDFile=/run/pesign.pid
 ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index 5459723..95d378d 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
     RETVAL=$?
     echo
     touch /var/lock/subsys/pesign
-    @@LIBEXECDIR@@/pesign/pesign-authorize-users
-    @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+    @@LIBEXECDIR@@/pesign/pesign-authorize
 }
 
 stop(){
-- 
2.35.3
openSUSE Build Service is sponsored by
Places