Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

879094 - CVE-2012-5561 - fix permissions on /etc/katello/secure #1349

Merged
merged 4 commits into from

4 participants

@jsomara

No description provided.

@lzap lzap was assigned
@jsomara

thanks to @kseifriedredhat for all of the help! :+1:

@lzap

ACK nice find.

src/katello.spec
@@ -708,6 +708,10 @@ test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN
getent group %{name} >/dev/null || groupadd -r %{name} -g 182
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{homedir} -u 182 -s /sbin/nologin -c "Katello" %{name}
+# add tomcat & katello to the katello shared group for reading sensitive files
+groupadd katello-shared
@xsuchy Collaborator
xsuchy added a note

This will fail if group already exist. Should be:
getent group katello-shared >/dev/null || groupadd -r %{name}
You may want to allocate static id for katello-shared group (see bz 804204 how to do it), hmmm and why we could not use katello group in first place?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@xsuchy xsuchy commented on the diff
selinux/katello-selinux/katello-selinux.spec
@@ -94,7 +94,7 @@ install -m 0644 katello-selinux-enable.man8 %{buildroot}%{_mandir}/man8/katello-
install -m 0644 katello-selinux-relabel.man8 %{buildroot}%{_mandir}/man8/katello-selinux-relabel.8
# Install secure (extra protected) directory
-install -d %{buildroot}%{_sysconfdir}/katello/secure
+install -d -m 0750 %{buildroot}%{_sysconfdir}/katello/secure
@xsuchy Collaborator
xsuchy added a note

You should set group ownership in %files section too:
%attr(0755,root,katello-shared) %{_sysconfdir}/katello/secure

@jsomara
jsomara added a note

doesn't katello-selinux install first? which could fail if katello-shared is not created

@xsuchy Collaborator
xsuchy added a note

The order is random.
But you can enforce the order by
Requires(pre): katello-common
And I just audited the code and it should be safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
src/katello.spec
@@ -708,6 +708,10 @@ test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN
getent group %{name} >/dev/null || groupadd -r %{name} -g 182
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{homedir} -u 182 -s /sbin/nologin -c "Katello" %{name}
+# add tomcat & katello to the katello shared group for reading sensitive files
+getent group katello-shared > /dev/null || groupadd -r katello-shared
+usermod -a -G katello-shared tomcat
@xsuchy Collaborator
xsuchy added a note

and user tomcat do not have to exist in this moment.
You should probably move this one line to %post section of headpin and katello (those top packages)
and change
Requires: candlepin-tomcat6
to
Requires(post): candlepin-tomcat6
to make sure tomcat exist in post phase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@xsuchy
Collaborator

ACK

@jsomara jsomara merged commit a06b785 into Katello:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
6 selinux/katello-selinux/katello-selinux.spec
@@ -43,7 +43,7 @@ Requires(post): /usr/sbin/semodule, /sbin/restorecon, /usr/sbin/setsebool, /us
Requires(post): policycoreutils-python
Requires(post): selinux-policy-targeted
Requires(postun): /usr/sbin/semodule, /sbin/restorecon
-Requires: %{modulename}-common
+Requires(pre): %{modulename}-common
%description
SELinux policy module supporting Katello.
@@ -94,7 +94,7 @@ install -m 0644 katello-selinux-enable.man8 %{buildroot}%{_mandir}/man8/katello-
install -m 0644 katello-selinux-relabel.man8 %{buildroot}%{_mandir}/man8/katello-selinux-relabel.8
# Install secure (extra protected) directory
-install -d %{buildroot}%{_sysconfdir}/katello/secure
+install -d -m 0750 %{buildroot}%{_sysconfdir}/katello/secure
@xsuchy Collaborator
xsuchy added a note

You should set group ownership in %files section too:
%attr(0755,root,katello-shared) %{_sysconfdir}/katello/secure

@jsomara
jsomara added a note

doesn't katello-selinux install first? which could fail if katello-shared is not created

@xsuchy Collaborator
xsuchy added a note

The order is random.
But you can enforce the order by
Requires(pre): katello-common
And I just audited the code and it should be safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
%post
if /usr/sbin/selinuxenabled ; then
@@ -123,7 +123,7 @@ fi
%{_mandir}/man8/*
%attr(0755,root,root) %{_sbindir}/%{name}-enable
%attr(0755,root,root) %{_sbindir}/%{name}-relabel
-%{_sysconfdir}/katello/secure
+%attr(0750,root,katello-shared) %{_sysconfdir}/katello/secure
%changelog
* Thu Sep 27 2012 Miroslav Suchý <msuchy@redhat.com> 1.1.2-1
View
13 src/katello.spec
@@ -158,7 +158,7 @@ Requires: %{name}-cli
Requires: postgresql-server
Requires: postgresql
Requires: pulp
-Requires: candlepin-tomcat6
+Requires(post): candlepin-tomcat6
Requires: candlepin-selinux
# the following backend engine deps are required by <katello-configure>
Requires: mongodb mongodb-server
@@ -217,7 +217,7 @@ Requires: katello-configure
Requires: katello-cli
Requires: postgresql-server
Requires: postgresql
-Requires: candlepin-tomcat6
+Requires(post): candlepin-tomcat6
Requires: thumbslug
Requires: thumbslug-selinux
@@ -504,6 +504,12 @@ test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN
%posttrans common
/sbin/service %{name} condrestart >/dev/null 2>&1 || :
+%post headpin
+usermod -a -G katello-shared tomcat
+
+%post katello
+usermod -a -G katello-shared tomcat
+
%files
%attr(600, katello, katello)
%{_bindir}/katello-*
@@ -708,6 +714,9 @@ test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN
getent group %{name} >/dev/null || groupadd -r %{name} -g 182
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{homedir} -u 182 -s /sbin/nologin -c "Katello" %{name}
+# add tomcat & katello to the katello shared group for reading sensitive files
+getent group katello-shared > /dev/null || groupadd -r katello-shared
+usermod -a -G katello-shared katello
exit 0
%preun common
View
5 src/script/katello-generate-passphrase
@@ -33,8 +33,13 @@ while getopts "f" opt; do
esac
done
+# prevent passphrase from being world-readable
+umask 0007
+
FILE=/etc/katello/secure/passphrase
[ $FORCE -eq 0 -a -f $FILE ] && \
echo "Passphrase file was already generated, you can only generate once" && exit 1
PASS=$(</dev/urandom tr -dc A-Za-z0-9 | head -c 64)
echo "$PASS" > $FILE
+
+chgrp katello-shared $FILE
Something went wrong with that request. Please try again.