From 88ec34099ad55dd83e3422f62c61edf9e54d398e Mon Sep 17 00:00:00 2001 From: Jean Flach Date: Wed, 29 Nov 2017 13:56:10 +0100 Subject: [PATCH] Fix prepare-dirs permission exploit refs #5793 --- etc/initsystem/icinga2.sysconfig.cmake | 7 +++--- etc/initsystem/prepare-dirs | 35 +++++++++++--------------- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/etc/initsystem/icinga2.sysconfig.cmake b/etc/initsystem/icinga2.sysconfig.cmake index e7fa54bafbf..7daf305be5c 100644 --- a/etc/initsystem/icinga2.sysconfig.cmake +++ b/etc/initsystem/icinga2.sysconfig.cmake @@ -3,9 +3,10 @@ ICINGA2_CONFIG_FILE=@CMAKE_INSTALL_FULL_SYSCONFDIR@/icinga2/icinga2.conf ICINGA2_RUN_DIR=@ICINGA2_RUNDIR@ ICINGA2_STATE_DIR=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@ ICINGA2_PID_FILE=$ICINGA2_RUN_DIR/icinga2/icinga2.pid -ICINGA2_ERROR_LOG=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/icinga2/error.log -ICINGA2_STARTUP_LOG=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/icinga2/startup.log -ICINGA2_LOG=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/icinga2/icinga2.log +ICINGA2_LOG_DIR=@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/log/icinga2 +ICINGA2_ERROR_LOG=$ICINGA2_LOG_DIR/error.log +ICINGA2_STARTUP_LOG=$ICINGA2_LOG_DIR/startup.log +ICINGA2_LOG=$ICINGA2_LOG_DIR/icinga2.log ICINGA2_CACHE_DIR=$ICINGA2_STATE_DIR/cache/icinga2 ICINGA2_USER=@ICINGA2_USER@ ICINGA2_GROUP=@ICINGA2_GROUP@ diff --git a/etc/initsystem/prepare-dirs b/etc/initsystem/prepare-dirs index 5d67d476d73..73568a54e44 100644 --- a/etc/initsystem/prepare-dirs +++ b/etc/initsystem/prepare-dirs @@ -29,33 +29,28 @@ getent passwd $ICINGA2_USER >/dev/null 2>&1 || (echo "Icinga user '$ICINGA2_USER getent group $ICINGA2_GROUP >/dev/null 2>&1 || (echo "Icinga group '$ICINGA2_GROUP' does not exist. Exiting." && exit 6) getent group $ICINGA2_COMMAND_GROUP >/dev/null 2>&1 || (echo "Icinga command group '$ICINGA2_COMMAND_GROUP' does not exist. Exiting." && exit 6) -mkdir -p $(dirname -- $ICINGA2_PID_FILE) -chown $ICINGA2_USER:$ICINGA2_COMMAND_GROUP $(dirname -- $ICINGA2_PID_FILE) -if [ -f $ICINGA2_PID_FILE ]; then - chown $ICINGA2_USER:$ICINGA2_GROUP $ICINGA2_PID_FILE +if [ ! -e "$ICINGA2_RUN_DIR"/icinga2 ]; then + mkdir "$ICINGA2_RUN_DIR"/icinga2 + mkdir "$ICINGA2_RUN_DIR"/icinga2/cmd + chmod 755 "$ICINGA2_RUN_DIR"/icinga2 + chmod 2750 "$ICINGA2_RUN_DIR"/icinga2/cmd + chown -R $ICINGA2_USER:$ICINGA2_COMMAND_GROUP "$ICINGA2_RUN_DIR"/icinga2 fi -mkdir -p $(dirname -- $ICINGA2_ERROR_LOG) -chown $ICINGA2_USER:$ICINGA2_COMMAND_GROUP $(dirname -- $ICINGA2_ERROR_LOG) -chmod 750 $(dirname -- $ICINGA2_ERROR_LOG) -if [ -f $ICINGA2_ERROR_LOG ]; then - chown $ICINGA2_USER:$ICINGA2_COMMAND_GROUP $ICINGA2_ERROR_LOG -fi -if [ -f $ICINGA2_LOG ]; then - chown $ICINGA2_USER:$ICINGA2_COMMAND_GROUP $ICINGA2_LOG +# Could be undefined in installations where sysconf is not overridden on upgrade +if [ -z "$ICINGA2_LOG_DIR" ]; then + $ICINGA2_LOG_DIR=$(dirname -- "$ICINGA2_LOG") fi -mkdir -p $ICINGA2_RUN_DIR/icinga2/cmd -chown $ICINGA2_USER:$ICINGA2_COMMAND_GROUP $ICINGA2_RUN_DIR/icinga2/cmd +test -e "$ICINGA2_LOG_DIR" || install -m 750 -o $ICINGA2_USER -g $ICINGA2_COMMAND_GROUP -d "$ICINGA2_LOG_DIR" + if type restorecon >/dev/null 2>&1; then - restorecon -R $ICINGA2_RUN_DIR/icinga2/ + restorecon -R "$ICINGA2_RUN_DIR"/icinga2/ fi -chmod 2750 $ICINGA2_RUN_DIR/icinga2/cmd # Add a fallback if the user did not specify this directory in the sysconfig file if [ -z "$ICINGA2_CACHE_DIR" ]; then - ICINGA2_CACHE_DIR=$ICINGA2_STATE_DIR/cache/icinga2 + ICINGA2_CACHE_DIR="$ICINGA2_STATE_DIR"/cache/icinga2 fi -mkdir -p $ICINGA2_CACHE_DIR -chown $ICINGA2_USER:$ICINGA2_GROUP $ICINGA2_CACHE_DIR -chmod 750 $ICINGA2_CACHE_DIR + +test -e "$ICINGA2_CACHE_DIR" || install -m 750 -o $ICINGA2_USER -g $ICINGA2_COMMAND_GROUP -d "$ICINGA_CACHE_DIR"