File 0009-tools-Use-install-instead-of-touch-chown-combination.patch of Package frr.26974
From 0ae08fe4d50c010ebea332758100f9861b74faa0 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Mon, 10 Oct 2022 18:27:59 +0300
References: bsc#1204124,CVE-2022-42917
Upstream: yes
Subject: [PATCH 1/2] tools: Use `install` instead of `touch/chown` combination
touch + chown can have a gap between the commands (or the second failed).
This could lead to unexpected permissions (root, instead of frr) for some
.conf files or directories.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
diff --git a/tools/frr.in b/tools/frr.in
index 40862aa4c9..b1de179b48 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -53,13 +53,6 @@ vtyfile()
 	echo "$V_PATH/$1.vty"
 }
 
-chownfrr()
-{
-	test -n "$FRR_USER" && chown "$FRR_USER" "$1"
-	test -n "$FRR_GROUP" && chgrp "$FRR_GROUP" "$1"
-	test -n "$FRR_CONFIG_MODE" && chmod "$FRR_CONFIG_MODE" "$1"
-}
-
 # Check if daemon is started by using the pidfile.
 started()
 {
@@ -103,12 +96,10 @@ check_daemon()
 		# check for config file
 		if [ -n "$2" ]; then
 			if [ ! -r "$C_PATH/$1-$2.conf" ]; then
-				touch "$C_PATH/$1-$2.conf"
-				chownfrr "$C_PATH/$1-$2.conf"
+				install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf"
 			fi
 		elif [ ! -r "$C_PATH/$1.conf" ]; then
-			touch "$C_PATH/$1.conf"
-			chownfrr "$C_PATH/$1.conf"
+			install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf"
 		fi
 	fi
 	return 0
@@ -533,9 +524,8 @@ convert_daemon_prios
 
 if [ ! -d $V_PATH ]; then
 	echo "Creating $V_PATH"
-	mkdir -p $V_PATH
-	chownfrr $V_PATH
-	chmod 755 /$V_PATH
+	install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d /proc "$V_PATH"
+	chmod gu+x "${V_PATH}"
 fi
 
 if [ -n "$3" ] && [ "$3" != "all" ]; then
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 9dc8cea609..62fde00394 100644
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -51,12 +51,6 @@ debug() {
 	printf '\n' >&2
 }
 
-chownfrr() {
-	[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
-	[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
-	[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
-}
-
 vtysh_b () {
 	[ "$1" = "watchfrr" ] && return 0
 	[ -r "$C_PATH/frr.conf" ] || return 0
@@ -132,8 +126,7 @@ daemon_prep() {
 
 	cfg="$C_PATH/$daemon${inst:+-$inst}.conf"
 	if [ ! -r "$cfg" ]; then
-		touch "$cfg"
-		chownfrr "$cfg"
+		install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg"
 	fi
 	return 0
 }
@@ -145,8 +138,8 @@ daemon_start() {
 	ulimit -n $MAX_FDS > /dev/null 2> /dev/null
 	daemon_prep "$daemon" "$inst" || return 1
 	if test ! -d "$V_PATH"; then
-		mkdir -p "$V_PATH"
-		chown frr "$V_PATH"
+		install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d /proc "$V_PATH"
+		chmod gu+x "${V_PATH}"
 	fi
 
 	eval wrap="\$${daemon}_wrap"
-- 
2.35.3