From 35346b39363d2b8242be46b94b4b8152a4dc0d13 Mon Sep 17 00:00:00 2001 From: Ed Bartosh Date: Wed, 27 Feb 2013 20:01:58 +0200 Subject: [PATCH] Ger rid of security hole created by depanneur_sudo Instead of using easily exploitable hole, made by depanneur_sudo commands, needed to be run from root account added to sudoers file with as much restrictions as possible . Fixes: #TZPC-909 Change-Id: I41529ed471a2cc2aca1925b1b0edf25b979e80b3 Signed-off-by: Ed Bartosh --- Makefile | 3 --- data/depanneur_sudo | 18 ------------------ data/gbs | 9 ++++++++- depanneur | 18 +++++++++--------- packaging/depanneur.spec | 1 - 5 files changed, 17 insertions(+), 32 deletions(-) delete mode 100755 data/depanneur_sudo diff --git a/Makefile b/Makefile index 34c7c13..0de897c 100644 --- a/Makefile +++ b/Makefile @@ -15,9 +15,6 @@ install: install -m755 \ depanneur \ $(DESTDIR)$(bindir) - install -m755 \ - data/depanneur_sudo \ - $(DESTDIR)$(bindir) install -m750 -d \ $(DESTDIR)$(sudodir) install -m440 \ diff --git a/data/depanneur_sudo b/data/depanneur_sudo deleted file mode 100755 index b0ac311..0000000 --- a/data/depanneur_sudo +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -if [ -z "$1" ] -then - echo "command must be specified for $0" - exit 1 -fi - -case $1 in - #commands need sudo in depanneur - umount|mount|mkdir|cp|rm|echo|*/usr/bin/build) - sudo "$@" - ;; - * ) - echo "Don't support executing '$1' using $0" - exit 1 - ;; -esac diff --git a/data/gbs b/data/gbs index 8ce227c..121bdbe 100644 --- a/data/gbs +++ b/data/gbs @@ -1,4 +1,11 @@ -ALL ALL=(ALL) NOPASSWD:/usr/bin/depanneur_sudo +ALL ALL=(ALL) NOPASSWD: /bin/mount -o bind * */home/abuild/rpmbuild/BUILD/* +ALL ALL=(ALL) NOPASSWD: /bin/umount -l */home/abuild/rpmbuild/BUILD/* +ALL ALL=(ALL) NOPASSWD: /bin/umount -l -f */home/abuild/rpmbuild/BUILD/* +ALL ALL=(ALL) NOPASSWD: /bin/mkdir -p */home/abuild/rpmbuild/BUILD/* +ALL ALL=(ALL) NOPASSWD: /usr/bin/build +ALL ALL=(ALL) NOPASSWD: /bin/cp *.conf */scratch.*/*.conf +ALL ALL=(ALL) NOPASSWD: /bin/rm -f */.build.log +ALL ALL=(ALL) NOPASSWD: /bin/echo -n Defaults env_keep += "http_proxy" Defaults env_keep += "no_proxy" diff --git a/depanneur b/depanneur index 282e2b0..e95b1c1 100755 --- a/depanneur +++ b/depanneur @@ -1163,14 +1163,14 @@ sub worker_thread { sub safe_umount { my ($device) = @_; - return if (my_system("sudo depanneur_sudo umount -l $device") == 0); + return if (my_system("sudo /bin/umount -l $device") == 0); warning("!!!! umount device $device failed. It may cause files lost in ". "some cases. Please stop the process which is using this device and ". "press any key to umount again !!!!"); <>; - if (my_system("sudo depanneur_sudo umount -l -f $device") != 0) { + if (my_system("sudo /bin/umount -l -f $device") != 0) { warning("!!!! IMPORTANT: umount failed again, please backup your ". "source code and try to umount manually !!!!"); } @@ -1214,7 +1214,7 @@ sub build_package { if ($TERM == 1) { return -1; } - push @args, "sudo depanneur_sudo $virtualenv/usr/bin/build"; + push @args, "sudo /usr/bin/build"; if ($arch ne "i586" ) { push @args, "--use-system-qemu"; } @@ -1307,9 +1307,9 @@ sub build_package { my $project_base_path = $to_build{$name}->{project_base_path}; if (! -e "$builddir") { - my_system("sudo depanneur_sudo mkdir -p $builddir"); + my_system("sudo /bin/mkdir -p $builddir"); } - my $mount = "sudo depanneur_sudo mount -o bind $project_base_path $builddir"; + my $mount = "sudo /bin/mount -o bind $project_base_path $builddir"; my_system($mount); my $tmp_dir = abs_path(tempdir(CLEANUP=>1)); my_system("tar -zcf $source_tar $tmp_dir") if ($source_tar ne ""); @@ -1326,7 +1326,7 @@ sub build_package { } # Save build config to build root for --noinit use - my_system("sudo depanneur_sudo cp $dist_configs/$dist.conf $scratch/$dist.conf") if ($noinit == 0); + my_system("sudo /bin/cp $dist_configs/$dist.conf $scratch/$dist.conf") if ($noinit == 0); if ($ret == 0) { if (bsd_glob "$scratch/home/abuild/rpmbuild/SRPMS/*.rpm") { @@ -1338,7 +1338,7 @@ sub build_package { mkdir_p "$success_logs_path/$name-$version-$release"; if (-e "$scratch/.build.log") { my_system ("cp $scratch/.build.log $success_logs_path/$name-$version-$release/log"); - my_system ("sudo depanneur_sudo rm -f $scratch/.build.log "); + my_system ("sudo /bin/rm -f $scratch/.build.log "); } # Detach and terminate { @@ -1355,7 +1355,7 @@ sub build_package { mkdir_p "$fail_logs_path/$name-$version-$release"; if ( -f "$scratch/.build.log" ) { my_system ("cp $scratch/.build.log $fail_logs_path/$name-$version-$release/log"); - my_system ("sudo depanneur_sudo rm -f $scratch/.build.log"); + my_system ("sudo /bin/rm -f $scratch/.build.log"); warning("build failed, Leaving the logs in $fail_logs_path/$name-$version-$release/log"); } return 1; @@ -1619,7 +1619,7 @@ $SIG{'INT'} = $SIG{'TERM'} = sub { }; $SIG{'ALRM'} = sub { - if (my_system("sudo depanneur_sudo echo -n") != 0) { + if (my_system("sudo /bin/echo -n") != 0) { error("sudo: failed to request passwd") } else { alarm(SUDOV_PERIOD); diff --git a/packaging/depanneur.spec b/packaging/depanneur.spec index 7911cb9..eaf0ae2 100644 --- a/packaging/depanneur.spec +++ b/packaging/depanneur.spec @@ -33,6 +33,5 @@ make install DESTDIR=$RPM_BUILD_ROOT %files %defattr(-,root,root,-) -%{_bindir}/depanneur_sudo %{_bindir}/depanneur %{_sysconfdir}/sudoers.d/gbs -- 2.7.4