-
-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change file mode before changing file owner #600
Merged
wcawijngaards
merged 1 commit into
NLnetLabs:master
from
InfrastructureServices:remote-unix-chmod
Jan 7, 2022
Merged
Change file mode before changing file owner #600
wcawijngaards
merged 1 commit into
NLnetLabs:master
from
InfrastructureServices:remote-unix-chmod
Jan 7, 2022
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change mode first when configuring remote control unix socket. Some security systems might strip capability of changing other user's system even to process with effective uid 0. That is done on Fedora by SELinux policy and systemd for example. SELinux audit then shows errors, because unbound tries modifying permissions of not own file. Fix just by mode change as first step, make it owned by unbound:unbound user as the last step only. Related: rhbz#1905441
Relevant audit log would look like:
Taken from RH bug. |
wcawijngaards
approved these changes
Jan 7, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, that looks fine to do that first.
wcawijngaards
added a commit
that referenced
this pull request
Jan 7, 2022
- Merge #600 from pemensik: Change file mode before changing file owner.
Merged the fix and also applied a similar fix to NSD, for its remote control unix socket code. That fix is in NLnetLabs/nsd@877c873 . Thank you for the fix up! |
jedisct1
added a commit
to jedisct1/unbound
that referenced
this pull request
Jan 13, 2022
* nlnet/master: - Fix prematurely terminated TCP queries when a reply has the same ID. Changelog note for NLnetLabs#600 - Merge NLnetLabs#600 from pemensik: Change file mode before changing file owner. Change file mode before changing file owner Update documentation links - Fix for NLnetLabs#596: Fix rpz-signal-nxdomain-ra to work for clientip triggered operation. - Fix NLnetLabs#598: Fix unbound-checkconf fatal error: module conf 'respip dns64 validator iterator' is not known to work. - Fix for NLnetLabs#596: add unit test for nsip trigger and signal unset RA. - Fix for NLnetLabs#596: add unit test for nsdname trigger and signal unset RA. - Fix unit tests for rpz now that the AA flag returns successfully from the iterator loop. - Fix for NLnetLabs#596: fix that rpz return message is returned and not just the rcode from the iterator return path. This fixes signal unset RA after a CNAME. - Fix that RPZ does not set RD flag on replies, it should be copied from the query. - Fix NLnetLabs#596: only unset RA when NXDOMAIN is signalled. - Fix to add test for rpz-signal-nxdomain-ra. - Fix NLnetLabs#596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to signal that a domain is externally blocked to clients when it is blocked with NXDOMAIN by unsetting RA. - contrib/aaaa-filter-iterator.patch file renewed diff content to apply cleanly to the current coderepo for the current code version. - Fix NLnetLabs#591: Unbound-anchor manpage links to non-existent license file.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change mode first when configuring remote control unix socket. Some
security systems might strip capability of changing other user's system
even to process with effective uid 0. That is done on Fedora by SELinux
policy and systemd for example. SELinux audit then shows errors, because
unbound tries modifying permissions of not own file. Fix just by mode
change as first step, make it owned by unbound:unbound user as the last
step only.
Related: rhbz#1905441