Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 99915 Details for
Bug 151778
[PATCH] More advanced suidctl Portage feature
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for an advanced version of the suidctl Portage feature
portage-2.1.1-Advanced_suidctl_feature.patch (text/plain), 9.42 KB, created by
email_deleted_GqKU
on 2006-10-17 20:58:43 UTC
(
hide
)
Description:
Patch for an advanced version of the suidctl Portage feature
Filename:
MIME Type:
Creator:
email_deleted_GqKU
Created:
2006-10-17 20:58:43 UTC
Size:
9.42 KB
patch
obsolete
>diff -ru portage-2.1.1-orig/bin/misc-functions.sh portage-2.1.1/bin/misc-functions.sh >--- portage-2.1.1-orig/bin/misc-functions.sh 2006-10-18 05:25:29.000000000 +0200 >+++ portage-2.1.1/bin/misc-functions.sh 2006-10-18 05:25:51.000000000 +0200 >@@ -287,35 +287,156 @@ > eerror "${FUNCNAME}: IMAGE is unset" > return 1 > fi >- # total suid control. >- if hasq suidctl $FEATURES; then >- sfconf=/etc/portage/suidctl.conf >- vecho ">>> Performing suid scan in ${IMAGE}" >- for i in $(find ${IMAGE}/ -type f \( -perm -4000 -o -perm -2000 \) ); do >- if [ -s "${sfconf}" ]; then >- suid="$(grep ^${i/${IMAGE}/}$ ${sfconf})" >- if [ "${suid}" = "${i/${IMAGE}/}" ]; then >- vecho "- ${i/${IMAGE}/} is an approved suid file" >+ >+ ### >+ ### Controls permissions of files with SetId permissions. >+ ### >+ ### Todo: >+ ### - Add a bit of flexibility to the file format (comments everywhere, >+ ### decorating spaces, and maybe allow space characters >+ ### as field separators... -the file is grealty easier to read >+ ### with tabulations, though the line length greatly increase...). >+ ### - Maybe support empty fields (they would match any value...), though it >+ ### greatly diminishes the usefulness of the setid-control feature. >+ ### - Maybe support more flexible file permissions (like "ugo-s", >+ ### for the last field -well, for now, it works out of the box, >+ ### but we might try some checks on this field, so we me think a bit >+ ### about it). >+ ### - Maybe support to configure the user and group to set, >+ ### for full customization... >+ ### - Maybe add a check to inform the user when an entry is outdated and >+ ### might be removed (like the original file >+ ### does not have SetId permissions set anymore). >+ ### >+ >+ ### Defines miscellaneous needed variables. >+ local SetId_control_feature_name="setid-control" >+ local SetId_control_configuration_file_path="/etc/portage/setid-control.conf" >+ local SetId_permissions_to_set_field_index="6" >+ >+ ### Checks that the SetId control feature is activated. >+ if hasq "${SetId_control_feature_name}" "${FEATURES}" >+ then >+ vecho ">>> Performing SetId scan in \"${IMAGE}\"..." >+ >+ ### Loop on files with SetId permissions. >+ for File_virtual_path in $(find "${IMAGE}/" -type f -perm -4000 -o -perm -2000) >+ do >+ ### Defines variables for needed informations about the package and file. >+ local Package_category_and_name="${CATEGORY}/${PN}" >+ local File_absolute_path="${File_virtual_path#${IMAGE}}" >+ local File_user=$(find "${File_virtual_path}" -printf "%u") ### "%u" means the file owner name or id >+ local File_group=$(find "${File_virtual_path}" -printf "%g") ### "%g" means the file group name or id >+ local File_permissions=$(find "${File_virtual_path}" -printf "%04m") ### "%04m" means the file permissions (with leading zeros) >+ >+ ### Tries to match the file with existing entries >+ ### from the configuration file. Notes we do not care if >+ ### the configuration file does not exist, as it is handled later. >+ ### ("-m" means "--max-count"; "-E" means "--extended-regexp") >+ ### @todo Maybe check the fields individually, for customized >+ ### warning messages (well, probably overkill). >+ ### @todo For the regex ending, if there are spaces (though illegal >+ ### as per configuration file format specifications), >+ ### accept the line... as we do not use the >+ ### file permission field elsewhere, for now, this is ok, >+ ### but if we later parse the entry to get >+ ### the value of this field, the spaces will have >+ ### to be removed. >+ Needed_entry_regex="${Package_category_and_name}:${File_virtual_path}:${File_user}:${File_group}:${File_permissions}([[:space:]]*|:.*)$" >+ Authorization_entry=$(grep -m 1 -E "^${Needed_entry_regex}" "${SetId_control_configuration_file_path}") >+ >+ ### Checks if the file matched an existing entry >+ ### from the configuration file. >+ if [ -n "${Authorization_entry}" ] >+ then >+ ### Gets the file permissions to set, from >+ ### the authorization entry, if present. >+ ### ("-d" means "--delimiter"; "-f" means "--fields") >+ File_permissions_to_set=$(echo "${Authorization_entry}" | cut -d ":" -f "${SetId_permissions_to_set_field_index}") >+ >+ ### Keeps the file permissions as is, if >+ ### the file permission to set field is not present, or empty, >+ ### or identical to the file original permissions. >+ if [ -z "${File_permissions_to_set}" ] || [ "${File_permissions_to_set}" = "${File_permissions}" ] >+ then >+ vecho ">>> File \"${File_absolute_path}\" requested SetId permissions, and has been authorized to keep them, as per configuration." >+ >+ ### Continues to the next file with SetId permissions. >+ continue > else >- vecho ">>> Removing sbit on non registered ${i/${IMAGE}/}" >- for x in 5 4 3 2 1 0; do echo -ne "\a"; sleep 0.25 ; done >- vecho -ne "\a" >- ls_ret=$(ls -ldh "${i}") >- chmod ugo-s "${i}" >- grep ^#${i/${IMAGE}/}$ ${sfconf} > /dev/null || { >- # sandbox prevents us from writing directly >- # to files outside of the sandbox, but this >- # can easly be bypassed using the addwrite() function >- addwrite "${sfconf}" >- vecho ">>> Appending commented out entry to ${sfconf} for ${PF}" >- echo "## ${ls_ret%${IMAGE}*}${ls_ret#*${IMAGE}}" >> ${sfconf} >- echo "#${i/${IMAGE}/}" >> ${sfconf} >- # no delwrite() eh? >- # delwrite ${sconf} >- } >+ vecho ">>> File \"${File_absolute_path}\" requested SetId permissions, and is registered, so we will apply the configuration..." >+ >+ ### Sets the file permission, as per configuration. >+ ### @todo Sanity checks on file permissions to set? >+ chmod "${File_permissions_to_set}" "${File_virtual_path}" >+ >+ File_set_permissions=$(find "${File_virtual_path}" -printf "%04m") ### "%04m" means the file permissions (with leading zeros) >+ >+ vecho ">>> File \"${File_absolute_path}\" now has permissions: \"${File_set_permissions}\" (previously: \"${File_permissions}\")." >+ >+ ### Continues to the next file with SetId permissions. >+ continue > fi >+ >+ #Checks that the file owner, group and permissions, match. > else >- vecho "suidctl feature set but you are lacking a ${sfconf}" >+ vecho ">>> File \"${File_absolute_path}\" requested SetId permissions, but is unregistered, so we will strip them..." >+ >+ ### Removes the SetId permissions from the file. >+ chmod ugo-s "${File_virtual_path}" >+ >+ ### Defines the secure SetId permissions (ie., no SetId permissions). >+ Secure_SetId_permissions=$(find "${File_virtual_path}" -printf "%04m") ### "%04m" means the file permissions (with leading zeros) >+ >+ ### Constructs a configuration file default (secure) entry for the current file. >+ Default_entry="${Package_category_and_name}:${File_absolute_path}:${File_user}:${File_group}:${File_permissions}:${Secure_SetId_permissions}" >+ >+ ### Creates the configuration file parent directory, if needed. >+ if [ ! -d $(dirname "${SetId_control_configuration_file_path}") ] >+ then >+ addwrite "/" ### Sandbox bypassing >+ mkdir -p $(dirname "${SetId_control_configuration_file_path}") >+ export SANDBOX_WRITE="${SANDBOX_WRITE%:/}" ### Sandbox restoring >+ fi >+ >+ ### Creates a base configuration files, if not present (for the comments on the file format). >+ if [ ! -f "${SetId_control_configuration_file_path}" ] >+ then >+ SetId_control_default_configuration_file_path="/usr/share/portage/setid-control.conf.default" ### !!! Place it elsewhere? (directly in "/etc/portage"? -without the ".default" suffix-, in which case this block should be removed) >+ addwrite "${SetId_control_configuration_file_path}" ### Sandbox bypassing >+ cp "${SetId_control_default_configuration_file_path}" "${SetId_control_configuration_file_path}" >+ export SANDBOX_WRITE="${SANDBOX_WRITE%:${SetId_control_configuration_file_path}}" ### Sandbox restoring >+ fi >+ >+ ### Adds the default entry to the configuration file. >+ addwrite "${SetId_control_configuration_file_path}" ### Sandbox bypassing >+ echo "${Default_entry}" >> "${SetId_control_configuration_file_path}" >+ export SANDBOX_WRITE="${SANDBOX_WRITE%:${SetId_control_configuration_file_path}}" ### Sandbox restoring >+ >+ ### Displays a warning. >+ ebeep 3 && epause 5 >+ ewarn >+ ewarn "You have the \"${SetId_control_feature_name}\" feature set in your \"/etc/make.conf\" file," >+ ewarn "and the current package requests SetId permissions for the file:" >+ ewarn "\"${File_absolute_path}\"," >+ ewarn "which cannot be found in the SetId control configuration file." >+ ewarn >+ ewarn "If you already have an entry, for the same package and file path," >+ ewarn "it probably means that the file user, group, or original permissions," >+ ewarn "have changed. In this case, check the default entry which was added" >+ ewarn "to the configuration file, and adapt your configuration as needed." >+ ewarn >+ ewarn "The following default (secure) entry was added to the configuration file" >+ ewarn "(${SetId_control_configuration_file_path}):" >+ ewarn "${Default_entry}" >+ ewarn >+ ewarn "The file has been stripped from its SetId permissions. If know what" >+ ewarn "you are doing, and want \`emerge\` to keep these permissions, follow" >+ ewarn "the instructions from the SetId control configuration file." >+ ewarn >+ >+ ### Continues to the next file with SetId permissions. >+ continue > fi > done > fi
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=99915">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 151778
: 99915 |
99916
