Attachment 359510 Details for Bug 473036 – Check permission/ownership in pkg_postinst

[patch] Check permission/ownership in pkg_postinst

check-permission-and-ownership-in-postinstall.patch (text/plain), 5.29 KB, created by Thomas Deutschmann (RETIRED) on 2013-09-26 09:17:45 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Thomas Deutschmann (RETIRED)

Created: 2013-09-26 09:17:45 UTC

Size: 5.29 KB

patch

obsolete

>--- nginx-1.4.1-r5.ebuild.old	2013-09-25 18:28:27.000000000 +0200
>+++ nginx-1.4.1-r5.ebuild	2013-09-26 11:05:37.000000000 +0200
>@@ -194,6 +194,7 @@
> 	nginx_modules_http_dav_ext? ( dev-libs/expat )"
> RDEPEND="${CDEPEND}"
> DEPEND="${CDEPEND}
>+	sys-apps/coreutils
> 	arm? ( dev-libs/libatomic_ops )
> 	libatomic? ( dev-libs/libatomic_ops )"
> PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
>@@ -527,23 +528,112 @@
> 		ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg"
> 	fi
> 
>-	# This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for
>-	# existing installations
>-	local fix_perms=0
>-
>-	for rv in ${REPLACING_VERSIONS} ; do
>-		version_compare ${rv} 1.4.1-r2
>-		[[ $? -eq 1 ]] && fix_perms=1
>-	done
>-
>-	if [[ $fix_perms -eq 1 ]] ; then
>-		ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following"
>-		ewarn "directories the world-readable bit removed (if set):"
>-		ewarn "  ${EPREFIX}/var/log/nginx"
>-		ewarn "  ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"
>-		ewarn "Check if this is correct for your setup before restarting nginx!"
>-		ewarn "This is a one-time change and will not happen on subsequent updates."
>-		ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}"
>-		chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi}
>+	# www-servers/nginx-1.4.1-r2 changed permission/ownership due to
>+	# CVE-2013-0337. See bug #458726, #469094 and #473036.
>+	# 
>+	# We need to make sure that previous installations aren't affected:
>+	local has_default_permissions=1
>+
>+	local t_permission=
>+	local t_owner=
>+	local t_dir="${EPREFIX}/var/log/nginx"
>+	if [ -d ${t_cdir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%G' "${t_dir}")
>+		
>+		[ ${t_permission} != '700' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
>+	fi
>+
>+	t_permission=
>+	t_owner=
>+	t_dir="${EPREFIX}${NGINX_HOME_TMP}"
>+	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%g' "${t_dir}")
>+		
>+		[ ${t_permission} != '750' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:0" ] && has_default_permissions=0
>+	fi
>+
>+	t_permission=
>+	t_owner=
>+	t_dir="${EPREFIX}${NGINX_HOME_TMP}/client"
>+	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%G' "${t_dir}")
>+		
>+		[ ${t_permission} != '700' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
>+	fi
>+
>+	t_permission=
>+	t_owner=
>+	t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy"
>+	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%G' "${t_dir}")
>+		
>+		[ ${t_permission} != '700' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
>+	fi
>+
>+	t_permission=
>+	t_owner=
>+	t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi"
>+	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%G' "${t_dir}")
>+		
>+		[ ${t_permission} != '700' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
>+	fi
>+
>+	t_permission=
>+	t_owner=
>+	t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi"
>+	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%G' "${t_dir}")
>+		
>+		[ ${t_permission} != '700' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
>+	fi
>+
>+	t_permission=
>+	t_owner=
>+	t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi"
>+	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
>+		t_permission=$(stat --format='%a' "${t_dir}")
>+		     t_owner=$(stat --format='%U:%G' "${t_dir}")
>+		
>+		[ ${t_permission} != '700' ] && has_default_permissions=0
>+		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
>+	fi
>+
>+	if [ ${has_default_permissions} -ne 1 ]; then
>+		# User's nginx permissions differs from default permissions.
>+		ewarn ""
>+		ewarn "Your nginx permissions differ from the default permissions/ownership"
>+		ewarn "this ebuild would set for a fresh installation."
>+		ewarn ""
>+		ewarn "If you know what you are doing, e.g. you are running a custom setup"
>+		ewarn "with custom permissions, you can ignore this warning."
>+		ewarn ""
>+		ewarn "If you DO NOT run a custom setup this may indicate that your setup"
>+		ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed"
>+		ewarn "all permissions. Please read:"
>+		ewarn ""
>+		ewarn "  - https://bugs.gentoo.org/458726"
>+		ewarn "  - https://bugs.gentoo.org/473036"
>+		ewarn ""
>+		ewarn "Current nginx default permissions are:"
>+		ewarn "  rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx"
>+		ewarn "  rwxr-x--- (750) ${PN}:0     ${EPREFIX}${NGINX_HOME_TMP}"
>+		ewarn "  rwx------ (700) ${PN}:0     ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}"
>+		ewarn ""
>+		ewarn "Again: If you know what you are doing please ignore this warning."
>+		ewarn "Everybody else should adjust permissions/ownership using chmod/chown"
>+		ewarn "like stated above."
> 	fi
> }

Actions: View | Diff

Attachments on bug 473036: 359510