| Summary: | net-nds/389-ds-base: init script should use checkpath instead of mkdir/chown | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Michael Orlitzky <mjo> |
| Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | jstein, wibrown |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Thanks for the feedback, I'll implement these changes (hopefully) this week Any news? Wes and William do you still maintain this package? Package removed. |
So I remembered why I was trying to install 389-ds-base in the first place =) Now that I know how to build it, I've played with the init script and I don't see any vulnerability in the way that chown is used. Nevertheless, the OpenRC "checkpath" command is a better way to create the directories it needs. So, for example, mkdir -p ${PID_DIRECTORY}; ... chown dirsrv: ${PID_DIRECTORY} would become checkpath -d -o dirsrv:dirsrv ${PID_DIRECTORY} Why bother? Since checkpath is part of OpenRC, it's guaranteed to be there and behave the same on every platform. Even standard tools like mkdir and chown can act differently on weird platforms. But most importantly, checkpath will refuse to follow symlinks and hardlinks, making the attack I was investigating impossible. One other nit I noticed: if you don't configure any instances, then the line DS_INSTANCES=${DIRSRV_CONF_DIR}/slapd-* will succeed, but it will result in one instance literally named "slapd-*". I wound up with $ ls /var/lock/dirsrv/ total 0 drwxr-xr-x 2 dirsrv dirsrv 40 2017-01-20 21:45 'slapd-*' as a result. You would really like to use bash's "nullglob" feature there, but our init scripts should be portable to POSIX sh. Probably the simplest thing you can do is check to make sure you got a real file/directory in the "for" loop: for instance in ${DS_INSTANCES}; do [ -e "$instance" ] || continue ...