[Bug 1208004] New: Make %post script SELinux aware
https://bugzilla.suse.com/show_bug.cgi?id=1208004 Bug ID: 1208004 Summary: Make %post script SELinux aware Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: max@suse.com Reporter: jsegitz@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In ntp.spec 324 if [ ! -f $KEYSFILE ]; then 325 FILE=$(mktemp -p /etc) 326 chmod 0640 $FILE 327 chown root:ntp $FILE 328 mv $FILE $KEYSFILE 329 fi this will cause issues with SELinux. Please use mv -Z so the label is set correctly. While the current state of this post script is safe the frequent use of chmod and the like is worrisome. You need to make sure that future changes never allow unprivileged users additional control (e.g. operating in a user owned directory). A way to reduce the attack surface could be to move this to a packaged script and then run it only once to fix/convert existing installations -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208004 https://bugzilla.suse.com/show_bug.cgi?id=1208004#c1 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com Flags| |needinfo?(jsegitz@suse.com) --- Comment #1 from Reinhard Max <max@suse.com> --- This code block is not for fixing or converting existing installations, it is for genrating needed keys in new installations. The chmod/chown are only run if $KEYSFILE does not yet exist and they are run while the newly created file still has its temporary name. I don't see how a packaged script would change the situation, because the conditions under which it needs to be run (installing the ntp package for the first time on a newly installed system) won't change. Please advice. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208004 https://bugzilla.suse.com/show_bug.cgi?id=1208004#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jsegitz@suse.com) | --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- In a packaged script you can add more defensive logic easily without having to bloat the rather large %post section further. One idea would be to add a flag that indicates that the script already ran and not go through the logic again. If the circumstances ever change (e.g. the ntp keys are moved into a directory owned by an unprivileged user) that would limit the impact of the root escalation to fresh installations, not to every ntp package update. It's just a suggestion at this point. The current logic is safe, I'm just worried that this might change over time. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208004 https://bugzilla.suse.com/show_bug.cgi?id=1208004#c3 --- Comment #3 from Reinhard Max <max@suse.com> --- Ah, so you mean to package more of the %post script than just the snippet you quoted in comment 0? OTOH, given that we are phasing out the ntp package in favour of chrony, I am not sure if it makes sense to make such big changes at this point unless the current code has an actual security problem which does not seem to be the case. For now I will just add the -Z flag to "mv". -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208004 https://bugzilla.suse.com/show_bug.cgi?id=1208004#c4 --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- okay, sounds like a plan. Thanks :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208004 https://bugzilla.suse.com/show_bug.cgi?id=1208004#c6 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Reinhard Max <max@suse.com> --- Done -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com