Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change file mode before changing file owner #600

Merged
merged 1 commit into from
Jan 7, 2022
Merged

Change file mode before changing file owner #600

merged 1 commit into from
Jan 7, 2022
+1 −1

Conversation

pemensik
Copy link
Contributor

@pemensik pemensik commented Jan 7, 2022

Change mode first when configuring remote control unix socket. Some
security systems might strip capability of changing other user's system
even to process with effective uid 0. That is done on Fedora by SELinux
policy and systemd for example. SELinux audit then shows errors, because
unbound tries modifying permissions of not own file. Fix just by mode
change as first step, make it owned by unbound:unbound user as the last
step only.

Related: rhbz#1905441

@pemensik
Change file mode before changing file owner
c7f44b9 
Change mode first when configuring remote control unix socket. Some
security systems might strip capability of changing other user's system
even to process with effective uid 0. That is done on Fedora by SELinux
policy and systemd for example. SELinux audit then shows errors, because
unbound tries modifying permissions of not own file. Fix just by mode
change as first step, make it owned by unbound:unbound user as the last
step only.

Related: rhbz#1905441
@pemensik
Copy link
Contributor Author

pemensik commented Jan 7, 2022

Relevant audit log would look like:

type=PROCTITLE msg=audit(12/11/2020 04:34:30.280:1043) : proctitle=/usr/sbin/unbound -d 
type=PATH msg=audit(12/11/2020 04:34:30.280:1043) : item=0 name=/run/unbound/unbound.control.pipe inode=72069 dev=00:18 mode=socket,755 ouid=unbound ogid=unbound rdev=00:00 obj=system_u:object_r:named_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/11/2020 04:34:30.280:1043) : cwd=/etc/unbound 
type=SYSCALL msg=audit(12/11/2020 04:34:30.280:1043) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x55c3d2ca00a0 a1=0660 a2=0x3e2 a3=0x0 items=1 ppid=1 pid=30404 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=unbound exe=/usr/sbin/unbound subj=system_u:system_r:named_t:s0 key=(null) 
type=AVC msg=audit(12/11/2020 04:34:30.280:1043) : avc:  denied  { fsetid } for  pid=30404 comm=unbound capability=fsetid  scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(12/11/2020 04:34:30.280:1043) : avc:  denied  { fsetid } for  pid=30404 comm=unbound capability=fsetid  scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=capability permissive=0

Taken from RH bug.

wcawijngaards
wcawijngaards approved these changes Jan 7, 2022
View reviewed changes
Copy link
Member

@wcawijngaards wcawijngaards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, that looks fine to do that first.

@wcawijngaards wcawijngaards merged commit 370a855 into NLnetLabs:master Jan 7, 2022
wcawijngaards added a commit that referenced this pull request Jan 7, 2022
@wcawijngaards
Changelog note for #600
d52d94c 
- Merge #600 from pemensik: Change file mode before changing file
  owner.
@wcawijngaards
Copy link
Member

Merged the fix and also applied a similar fix to NSD, for its remote control unix socket code. That fix is in NLnetLabs/nsd@877c873 . Thank you for the fix up!

jedisct1 added a commit to jedisct1/unbound that referenced this pull request Jan 13, 2022
@jedisct1
Merge remote-tracking branch 'nlnet/master'
e6d95d5 
* nlnet/master:
  - Fix prematurely terminated TCP queries when a reply has the same ID.
  Changelog note for NLnetLabs#600 - Merge NLnetLabs#600 from pemensik: Change file mode before changing file   owner.
  Change file mode before changing file owner
  Update documentation links
  - Fix for NLnetLabs#596: Fix rpz-signal-nxdomain-ra to work for clientip   triggered operation.
  - Fix NLnetLabs#598: Fix unbound-checkconf fatal error: module conf   'respip dns64 validator iterator' is not known to work.
  - Fix for NLnetLabs#596: add unit test for nsip trigger and signal unset RA.
  - Fix for NLnetLabs#596: add unit test for nsdname trigger and signal unset RA.
  - Fix unit tests for rpz now that the AA flag returns successfully from   the iterator loop.
  - Fix for NLnetLabs#596: fix that rpz return message is returned and not just   the rcode from the iterator return path. This fixes signal unset RA   after a CNAME.
  - Fix that RPZ does not set RD flag on replies, it should be copied   from the query.
  - Fix NLnetLabs#596: only unset RA when NXDOMAIN is signalled.
  - Fix to add test for rpz-signal-nxdomain-ra.
  - Fix NLnetLabs#596: unset the RA bit when a query is blocked by an unbound   RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to   signal that a domain is externally blocked to clients when it   is blocked with NXDOMAIN by unsetting RA.
  - contrib/aaaa-filter-iterator.patch file renewed diff content to   apply cleanly to the current coderepo for the current code version.
  - Fix NLnetLabs#591: Unbound-anchor manpage links to non-existent license file.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wcawijngaards wcawijngaards wcawijngaards approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pemensik @wcawijngaards