PR#12: Properly drop priviledges for remote command - rpms/cpio

rpms / cpio

#12 Properly drop priviledges for remote command

Merged 3 years ago by praiskup. Opened 3 years ago by odubaj.

rpms/ odubaj/cpio main into rawhide

Properly drop priviledges for remote command

Ondrej Dubaj • 3 years ago

b4d8ec4

cpio-2.13-reset-gid-uid.patch

file added

+63

		`@@ -0,0 +1,63 @@`
		`+ From 5913893d6f3de65b16e1ad294b88893305efb20f Mon Sep 17 00:00:00 2001`
		`+ From: Ondrej Dubaj <odubaj@redhat.com>`
		`+ Date: Thu, 18 Feb 2021 09:59:31 +0100`
		`+ Subject: [PATCH] * lib/system.h (ERRNO_IS_EACCES): Remove. Not used anymore.`
		`+ (sys_reset_uid_gid): Re-initialize supplementary groups when switching`
		`+ privileges. Fix ordering of setgid and setuid calls.`
		`+`
		`+ ---`
		`+ lib/system.h \| 32 +++++++++++++++++++++++++-------`
		`+ 1 file changed, 25 insertions(+), 7 deletions(-)`
		`+`
		`+ diff --git a/lib/system.h b/lib/system.h`
		`+ index 1c1a5d0..4fd3ce9 100644`
		`+ --- a/lib/system.h`
		`+ +++ b/lib/system.h`
		`+ @@ -470,19 +470,37 @@ char *getenv ();`
		`+ #if MSDOS`
		`+ # include <process.h>`
		`+ # define SET_BINARY_MODE(arc) setmode(arc, O_BINARY)`
		`+ -# define ERRNO_IS_EACCES errno == EACCES`
		`+ # define mkdir(file, mode) (mkdir) (file)`
		`+ # define TTY_NAME "con"`
		`+ # define sys_reset_uid_gid()`
		`+ #else`
		`+ # define SET_BINARY_MODE(arc)`
		`+ -# define ERRNO_IS_EACCES 0`
		`+ # define TTY_NAME "/dev/tty"`
		`+ -# define sys_reset_uid_gid() \`
		`+ - do { \`
		`+ - if (! (setuid (getuid ()) == 0 && setgid (getgid ()) == 0)) \`
		`+ - abort (); \`
		`+ - } while (0)`
		`+ +# include <paxlib.h>`
		`+ +static inline void`
		`+ +sys_reset_uid_gid (void)`
		`+ +{`
		`+ + struct passwd *pw;`
		`+ + uid_t uid = getuid ();`
		`+ + gid_t gid = getgid ();`
		`+ +`
		`+ + if ((pw = getpwuid (uid)) == NULL)`
		`+ + {`
		`+ + FATAL_ERROR ((0, errno, "%s(%lu)", "getpwuid", (unsigned long)uid));`
		`+ + }`
		`+ + if (initgroups (pw->pw_name, getgid ()))`
		`+ + {`
		`+ + FATAL_ERROR ((0, errno, "%s", "initgroups"));`
		`+ + }`
		`+ + if (gid != getegid () && setgid (gid) && errno != EPERM)`
		`+ + {`
		`+ + FATAL_ERROR ((0, errno, "%s", "setgid"));`
		`+ + }`
		`+ + if (uid != geteuid () && setuid (uid) && errno != EPERM)`
		`+ + {`
		`+ + FATAL_ERROR ((0, errno, "%s", "setuid"));`
		`+ + }`
		`+ +}`
		`+ #endif`
		`+`
		`+ #if XENIX`
		`+ --`
		`+ 2.26.0`
		`+`

cpio.spec

file modified

+8 -1

		`@@ -1,7 +1,7 @@`
		`Summary: A GNU archiving program`
		`Name: cpio`
		`Version: 2.13`
		`- Release: 9%{?dist}`
		`+ Release: 10%{?dist}`
		`License: GPLv3+`
		`URL: https://www.gnu.org/software/cpio/`
		`Source: https://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2`
		`@@ -48,6 +48,10 @@`
		`# https://www.mail-archive.com/bug-cpio@gnu.org/msg00605.html`
		`Patch11: cpio-2.11-retain-symlink-times.patch`

		`+ # Properly drop priviledges for remote command`
		`+ # http://git.savannah.gnu.org/cgit/paxutils.git/commit/?id=d247e3c2809a37b6d0c3067251d96bb7f12555e7`
		`+ Patch12: cpio-2.13-reset-gid-uid.patch`
		`+`
		`Provides: bundled(gnulib)`
		`Provides: bundled(paxutils)`
		`Provides: /bin/cpio`
		`@@ -109,6 +113,9 @@`
		`%{_infodir}/.info`

		`%changelog`
		`+ * Thu Feb 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-10`
		`+ - Properly drop priviledges for remote command`
		`+`
		`* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-9`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild`