Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Remove setuid root binary /usr/sbin/zypp-refresh-wrapper (bnc#724832)

  • Loading branch information...
commit 286770e489199da2d26ad4cba94b097b438b9e42 1 parent d7ae0f0
Michael Andres mlandres authored
9 src/CMakeLists.txt
View
@@ -118,13 +118,6 @@ INSTALL(
RUNTIME DESTINATION ${INSTALL_PREFIX}/sbin
)
-ADD_EXECUTABLE( zypp-refresh-wrapper zypp-refresh-wrapper.c )
-TARGET_LINK_LIBRARIES( zypp-refresh-wrapper ${ZYPP_LIBRARY} )
-INSTALL(
- TARGETS zypp-refresh-wrapper
- RUNTIME DESTINATION ${INSTALL_PREFIX}/sbin
-)
-
# bash completion script
INSTALL(
FILES bash-completion.sh
@@ -133,7 +126,7 @@ INSTALL(
)
-# installation_sources script
+# installation_sources script
INSTALL(
PROGRAMS installation_sources
DESTINATION ${INSTALL_PREFIX}/bin
98 src/zypp-refresh-wrapper.c
View
@@ -1,98 +0,0 @@
-/* A setuid-root wrapper for zypp-refresh utility */
-
-/* setgid, umask and open */
-#include <sys/stat.h>
-#include <grp.h>
-#include <fcntl.h>
-/* clearenv */
-#include <stdlib.h>
-/* chdir, execl, setuid, exit */
-#include <unistd.h>
-/* perror */
-#include <stdio.h>
-
-#define WRAPPER_ERROR 101
-
-const char *app = "/usr/sbin/zypp-refresh";
-/* const char *arg1 = ""; */
-
-char *lang = NULL;
-
-int main (void)
-{
- /* see http://rechner.lst.de/~okir/blackhats/node41.html */
- while (1)
- {
- int fd = open("/dev/null", O_RDWR);
- if (fd < 0)
- return WRAPPER_ERROR;
- if (fd > 2) {
- close(fd);
- break;
- }
- }
-
- /* see http://rechner.lst.de/~okir/blackhats/node35.html */
- int fd = getdtablesize();
- while (--fd > 2)
- close(fd);
-
- /* cd / to avoid NFS problems */
- if (chdir ("/"))
- {
- perror ("chdir");
- return WRAPPER_ERROR;
- }
-
- /* save language */
- lang = getenv("LANG");
-
- /* do not look at argv... done */
- /* clear environment */
- if (clearenv ())
- {
- fprintf (stderr, "clearenv failed\n");
- return WRAPPER_ERROR;
- }
-
-
- /* set minimal environment... done */
- /* prevent the user from sending signals */
-
- if (initgroups("root", 0) != 0 || setgid (0) != 0)
- {
- fprintf (stdout,
- "Unable to refresh repositories because /usr/sbin/zypp-refresh-wrapper"
- " helper programm is not set SUID root.\n"
- "This problem might be solved by setting 'File Permissons' in YaST"
- " 'Local Security' tab to 'easy' or by modifying"
- " /etc/permissions.local\n");
- return WRAPPER_ERROR;
- }
-
- if (setuid (0) != 0)
- {
- // perror ("setuid");
- // Forgot to chmod this program?
- fprintf (stdout,
- "Unable to refresh repositories because /usr/sbin/zypp-refresh-wrapper"
- " helper programm is not set SUID root.\n"
- "This problem might be solved by setting 'File Permissons' in YaST"
- " 'Local Security' tab to 'easy' or by modifying"
- " /etc/permissions.local\n");
- return WRAPPER_ERROR;
- }
-
- umask(0022);
-
- /* set language */
- if (lang != NULL)
- setenv("LANG", lang, 1);
-
- /* execute the real application */
- execl (app, app, (char *) NULL);
-
- /* if we are still here, it has failed */
- perror ("execl");
- return WRAPPER_ERROR;
-}
5 zypper.spec.cmake
View
@@ -136,10 +136,6 @@ touch $RPM_BUILD_ROOT%{_var}/log/zypper.log
%post
%run_permissions
-%verifyscript
-%verify_permissions -e %{_sbindir}/zypp-refresh-wrapper
-%endif
-
%clean
rm -rf "$RPM_BUILD_ROOT"
@@ -152,7 +148,6 @@ rm -rf "$RPM_BUILD_ROOT"
%{_bindir}/zypper
%{_bindir}/installation_sources
%{_sbindir}/zypp-refresh
-%verify(not mode) %attr (755,root,root) %{_sbindir}/zypp-refresh-wrapper
%dir %{_datadir}/zypper
%{_datadir}/zypper/zypper.aug
%dir %{_datadir}/zypper/xml
Please sign in to comment.
Something went wrong with that request. Please try again.