From: Michael Andres Date: Thu, 22 Dec 2011 14:33:08 +0000 (+0100) Subject: Remove setuid root binary /usr/sbin/zypp-refresh-wrapper (bnc#724832) X-Git-Tag: 1.7.1~36 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=286770e489199da2d26ad4cba94b097b438b9e42;p=platform%2Fupstream%2Fzypper.git Remove setuid root binary /usr/sbin/zypp-refresh-wrapper (bnc#724832) --- diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 81b774d..0ae2132 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -118,13 +118,6 @@ INSTALL( RUNTIME DESTINATION ${INSTALL_PREFIX}/sbin ) -ADD_EXECUTABLE( zypp-refresh-wrapper zypp-refresh-wrapper.c ) -TARGET_LINK_LIBRARIES( zypp-refresh-wrapper ${ZYPP_LIBRARY} ) -INSTALL( - TARGETS zypp-refresh-wrapper - RUNTIME DESTINATION ${INSTALL_PREFIX}/sbin -) - # bash completion script INSTALL( FILES bash-completion.sh @@ -133,7 +126,7 @@ INSTALL( ) -# installation_sources script +# installation_sources script INSTALL( PROGRAMS installation_sources DESTINATION ${INSTALL_PREFIX}/bin diff --git a/src/zypp-refresh-wrapper.c b/src/zypp-refresh-wrapper.c deleted file mode 100644 index e2465f9..0000000 --- a/src/zypp-refresh-wrapper.c +++ /dev/null @@ -1,98 +0,0 @@ -/* A setuid-root wrapper for zypp-refresh utility */ - -/* setgid, umask and open */ -#include -#include -#include -/* clearenv */ -#include -/* chdir, execl, setuid, exit */ -#include -/* perror */ -#include - -#define WRAPPER_ERROR 101 - -const char *app = "/usr/sbin/zypp-refresh"; -/* const char *arg1 = ""; */ - -char *lang = NULL; - -int main (void) -{ - /* see http://rechner.lst.de/~okir/blackhats/node41.html */ - while (1) - { - int fd = open("/dev/null", O_RDWR); - if (fd < 0) - return WRAPPER_ERROR; - if (fd > 2) { - close(fd); - break; - } - } - - /* see http://rechner.lst.de/~okir/blackhats/node35.html */ - int fd = getdtablesize(); - while (--fd > 2) - close(fd); - - /* cd / to avoid NFS problems */ - if (chdir ("/")) - { - perror ("chdir"); - return WRAPPER_ERROR; - } - - /* save language */ - lang = getenv("LANG"); - - /* do not look at argv... done */ - /* clear environment */ - if (clearenv ()) - { - fprintf (stderr, "clearenv failed\n"); - return WRAPPER_ERROR; - } - - - /* set minimal environment... done */ - /* prevent the user from sending signals */ - - if (initgroups("root", 0) != 0 || setgid (0) != 0) - { - fprintf (stdout, - "Unable to refresh repositories because /usr/sbin/zypp-refresh-wrapper" - " helper programm is not set SUID root.\n" - "This problem might be solved by setting 'File Permissons' in YaST" - " 'Local Security' tab to 'easy' or by modifying" - " /etc/permissions.local\n"); - return WRAPPER_ERROR; - } - - if (setuid (0) != 0) - { - // perror ("setuid"); - // Forgot to chmod this program? - fprintf (stdout, - "Unable to refresh repositories because /usr/sbin/zypp-refresh-wrapper" - " helper programm is not set SUID root.\n" - "This problem might be solved by setting 'File Permissons' in YaST" - " 'Local Security' tab to 'easy' or by modifying" - " /etc/permissions.local\n"); - return WRAPPER_ERROR; - } - - umask(0022); - - /* set language */ - if (lang != NULL) - setenv("LANG", lang, 1); - - /* execute the real application */ - execl (app, app, (char *) NULL); - - /* if we are still here, it has failed */ - perror ("execl"); - return WRAPPER_ERROR; -} diff --git a/zypper.spec.cmake b/zypper.spec.cmake index c07bb0f..dbbd705 100644 --- a/zypper.spec.cmake +++ b/zypper.spec.cmake @@ -136,10 +136,6 @@ touch $RPM_BUILD_ROOT%{_var}/log/zypper.log %post %run_permissions -%verifyscript -%verify_permissions -e %{_sbindir}/zypp-refresh-wrapper -%endif - %clean rm -rf "$RPM_BUILD_ROOT" @@ -152,7 +148,6 @@ rm -rf "$RPM_BUILD_ROOT" %{_bindir}/zypper %{_bindir}/installation_sources %{_sbindir}/zypp-refresh -%verify(not mode) %attr (755,root,root) %{_sbindir}/zypp-refresh-wrapper %dir %{_datadir}/zypper %{_datadir}/zypper/zypper.aug %dir %{_datadir}/zypper/xml