Ger rid of security hole created by depanneur_sudo

Instead of using easily exploitable hole, made by depanneur_sudo
commands, needed to be run from root account added to sudoers file with
as much restrictions as possible .

Fixes: #TZPC-909

Change-Id: I41529ed471a2cc2aca1925b1b0edf25b979e80b3
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>

diff --git a/Makefile b/Makefile
index 34c7c13..0de897c 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -15,9 +15,6 @@ install:
        install -m755 \
            depanneur  \
            $(DESTDIR)$(bindir)
-       install -m755 \
-           data/depanneur_sudo  \
-           $(DESTDIR)$(bindir)
        install -m750 -d \
            $(DESTDIR)$(sudodir)
        install -m440 \

diff --git a/data/depanneur_sudo b/data/depanneur_sudo
deleted file mode 100755 (executable)
index b0ac311..0000000
--- a/data/depanneur_sudo
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-if [ -z "$1" ]
-then
-    echo "command must be specified for $0"
-    exit 1
-fi
-
-case $1 in
-    #commands need sudo in depanneur
-    umount|mount|mkdir|cp|rm|echo|*/usr/bin/build)
-        sudo "$@"
-        ;;
-     * )
-        echo "Don't support executing '$1' using $0"
-        exit 1
-        ;;
-esac

diff --git a/data/gbs b/data/gbs
index 8ce227c..121bdbe 100644 (file)
--- a/data/gbs
+++ b/data/gbs
@@ -1,4 +1,11 @@
-ALL     ALL=(ALL) NOPASSWD:/usr/bin/depanneur_sudo
+ALL     ALL=(ALL) NOPASSWD: /bin/mount -o bind * */home/abuild/rpmbuild/BUILD/*
+ALL     ALL=(ALL) NOPASSWD: /bin/umount -l */home/abuild/rpmbuild/BUILD/*
+ALL     ALL=(ALL) NOPASSWD: /bin/umount -l -f */home/abuild/rpmbuild/BUILD/*
+ALL     ALL=(ALL) NOPASSWD: /bin/mkdir -p */home/abuild/rpmbuild/BUILD/*
+ALL     ALL=(ALL) NOPASSWD: /usr/bin/build
+ALL     ALL=(ALL) NOPASSWD: /bin/cp *.conf */scratch.*/*.conf
+ALL     ALL=(ALL) NOPASSWD: /bin/rm -f */.build.log
+ALL     ALL=(ALL) NOPASSWD: /bin/echo -n
 
 Defaults env_keep += "http_proxy"
 Defaults env_keep += "no_proxy"

diff --git a/depanneur b/depanneur
index 282e2b0..e95b1c1 100755 (executable)
--- a/depanneur
+++ b/depanneur
@@ -1163,14 +1163,14 @@ sub worker_thread {
 
 sub safe_umount {
     my ($device) = @_;
-    return if (my_system("sudo depanneur_sudo umount -l $device") == 0);
+    return if (my_system("sudo /bin/umount -l $device") == 0);
 
     warning("!!!! umount device $device failed. It may cause files lost in ".
         "some cases. Please stop the process which is using this device and ".
         "press any key to umount again !!!!");
 
     <>;
-    if (my_system("sudo depanneur_sudo umount -l -f $device") != 0) {
+    if (my_system("sudo /bin/umount -l -f $device") != 0) {
         warning("!!!! IMPORTANT: umount failed again, please backup your ".
         "source code and try to umount manually !!!!");
     }
@@ -1214,7 +1214,7 @@ sub build_package {
     if ($TERM == 1) {
         return -1;
     }
-    push @args, "sudo depanneur_sudo $virtualenv/usr/bin/build";
+    push @args, "sudo /usr/bin/build";
     if ($arch ne "i586" ) {
         push @args, "--use-system-qemu";
     }
@@ -1307,9 +1307,9 @@ sub build_package {
 
         my $project_base_path = $to_build{$name}->{project_base_path};
         if (! -e "$builddir") {
-            my_system("sudo depanneur_sudo mkdir -p $builddir");
+            my_system("sudo /bin/mkdir -p $builddir");
         }
-        my $mount = "sudo depanneur_sudo mount -o bind $project_base_path $builddir";
+        my $mount = "sudo /bin/mount -o bind $project_base_path $builddir";
         my_system($mount);
         my $tmp_dir = abs_path(tempdir(CLEANUP=>1));
         my_system("tar -zcf $source_tar $tmp_dir") if ($source_tar ne "");
@@ -1326,7 +1326,7 @@ sub build_package {
     }
 
     # Save build config to build root for --noinit use
-    my_system("sudo depanneur_sudo cp $dist_configs/$dist.conf $scratch/$dist.conf") if ($noinit == 0);
+    my_system("sudo /bin/cp $dist_configs/$dist.conf $scratch/$dist.conf") if ($noinit == 0);
 
     if ($ret == 0) {
         if (bsd_glob "$scratch/home/abuild/rpmbuild/SRPMS/*.rpm") {
@@ -1338,7 +1338,7 @@ sub build_package {
         mkdir_p "$success_logs_path/$name-$version-$release";
         if (-e "$scratch/.build.log") {
             my_system ("cp $scratch/.build.log $success_logs_path/$name-$version-$release/log");
-            my_system ("sudo depanneur_sudo rm -f $scratch/.build.log ");
+            my_system ("sudo /bin/rm -f $scratch/.build.log ");
         }
         # Detach and terminate
         {
@@ -1355,7 +1355,7 @@ sub build_package {
         mkdir_p "$fail_logs_path/$name-$version-$release";
         if ( -f "$scratch/.build.log" ) {
             my_system ("cp $scratch/.build.log $fail_logs_path/$name-$version-$release/log");
-            my_system ("sudo depanneur_sudo rm -f $scratch/.build.log");
+            my_system ("sudo /bin/rm -f $scratch/.build.log");
             warning("build failed, Leaving the logs in $fail_logs_path/$name-$version-$release/log");
         }
         return 1;
@@ -1619,7 +1619,7 @@ $SIG{'INT'} = $SIG{'TERM'} = sub {
 };
 
 $SIG{'ALRM'} = sub {
-    if (my_system("sudo depanneur_sudo echo -n") != 0) {
+    if (my_system("sudo /bin/echo -n") != 0) {
         error("sudo: failed to request passwd")
     } else {
         alarm(SUDOV_PERIOD);

diff --git a/packaging/depanneur.spec b/packaging/depanneur.spec
index 7911cb9..eaf0ae2 100644 (file)
--- a/packaging/depanneur.spec
+++ b/packaging/depanneur.spec
@@ -33,6 +33,5 @@ make install DESTDIR=$RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root,-)
-%{_bindir}/depanneur_sudo
 %{_bindir}/depanneur
 %{_sysconfdir}/sudoers.d/gbs