Skip to content

Commit ef2d756

Browse files
committed
packaging: SECURITY, insecure temp files on rpm package installation
1 parent a83c862 commit ef2d756

File tree

6 files changed

+53
-41
lines changed

6 files changed

+53
-41
lines changed

Diff for: packaging/fedora/17/libreswan.spec

+9-7
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,8 @@ install -d %{buildroot}%{_sbindir}
149149
mkdir -p %{buildroot}%{_libdir}/fipscheck
150150
%endif
151151

152-
echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
153-
rm -fr %{buildroot}/etc/rc.d/rc*
152+
echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
153+
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
154154

155155
%files
156156
%doc BUGS CHANGES COPYING CREDITS README LICENSE
@@ -195,11 +195,13 @@ if [ $1 -eq 1 ] ; then
195195
# Initial installation
196196
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
197197
fi
198-
if [ ! -f /etc/ipsec.d/cert8.db ] ; then
199-
echo > /var/tmp/libreswan-nss-pwd
200-
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
201-
restorecon /etc/ipsec.d/*db 2>/dev/null || :
202-
rm /var/tmp/libreswan-nss-pwd
198+
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
199+
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
200+
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
201+
echo > ${TEMPFILE}
202+
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
203+
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
204+
rm -f ${TEMPFILE}
203205
fi
204206

205207

Diff for: packaging/fedora/18/libreswan.spec

+10-8
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
9999
USE_XAUTHPAM=true \
100100
%if %{USE_FIPSCHECK}
101101
USE_FIPSCHECK="%{USE_FIPSCHECK}" \
102-
FIPSPRODUCTCHECK=/etc/system-fips \
102+
FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \
103103
%endif
104104
USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
105105
USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
@@ -153,8 +153,8 @@ install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
153153
install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
154154
%endif
155155

156-
echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
157-
rm -fr %{buildroot}/etc/rc.d/rc*
156+
echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
157+
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
158158

159159
%files
160160
%doc BUGS CHANGES COPYING CREDITS README LICENSE
@@ -190,11 +190,13 @@ rm -fr %{buildroot}/etc/rc.d/rc*
190190

191191
%post
192192
%systemd_post ipsec.service
193-
if [ ! -f /etc/ipsec.d/cert8.db ] ; then
194-
echo > /var/tmp/libreswan-nss-pwd
195-
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
196-
restorecon /etc/ipsec.d/*db 2>/dev/null || :
197-
rm /var/tmp/libreswan-nss-pwd
193+
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
194+
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
195+
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
196+
echo > ${TEMPFILE}
197+
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
198+
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
199+
rm -f ${TEMPFILE}
198200
fi
199201

200202
%changelog

Diff for: packaging/fedora/19/libreswan.spec

+10-8
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
9999
USE_XAUTHPAM=true \
100100
%if %{USE_FIPSCHECK}
101101
USE_FIPSCHECK="%{USE_FIPSCHECK}" \
102-
FIPSPRODUCTCHECK=/etc/system-fips \
102+
FIPSPRODUCTCHECK=%{_syconfdir}/system-fips \
103103
%endif
104104
USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
105105
USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
@@ -153,8 +153,8 @@ install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
153153
install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
154154
%endif
155155

156-
echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
157-
rm -fr %{buildroot}/etc/rc.d/rc*
156+
echo "include %{_syconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
157+
rm -fr %{buildroot}%{_syconfdir}/rc.d/rc*
158158

159159
%files
160160
%doc BUGS CHANGES COPYING CREDITS README LICENSE
@@ -190,11 +190,13 @@ rm -fr %{buildroot}/etc/rc.d/rc*
190190

191191
%post
192192
%systemd_post ipsec.service
193-
if [ ! -f /etc/ipsec.d/cert8.db ] ; then
194-
echo > /var/tmp/libreswan-nss-pwd
195-
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
196-
restorecon /etc/ipsec.d/*db 2>/dev/null || :
197-
rm /var/tmp/libreswan-nss-pwd
193+
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
194+
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
195+
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
196+
echo > ${TEMPFILE}
197+
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
198+
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
199+
rm -f ${TEMPFILE}
198200
fi
199201

200202
%changelog

Diff for: packaging/rhel/5/libreswan.spec

+7-5
Original file line numberDiff line numberDiff line change
@@ -191,11 +191,13 @@ fi
191191

192192
%post
193193
/sbin/chkconfig --add ipsec || :
194-
if [ ! -f /etc/ipsec.d/cert8.db ] ; then
195-
echo > /var/tmp/libreswan-nss-pwd
196-
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
197-
restorecon /etc/ipsec.d/*db 2>/dev/null || :
198-
rm /var/tmp/libreswan-nss-pwd
194+
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
195+
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
196+
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
197+
echo > ${TEMPFILE}
198+
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
199+
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
200+
rm -f ${TEMPFILE}
199201
fi
200202

201203
%changelog

Diff for: packaging/rhel/6/libreswan.spec

+10-8
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
9696
USE_NM=%{USE_NM} \
9797
USE_XAUTHPAM=true \
9898
USE_FIPSCHECK=%{USE_FIPSCHECK} \
99-
FIPSPRODUCTCHECK="/etc/system-fips" \
99+
FIPSPRODUCTCHECK="%{_sysconfdir}/system-fips" \
100100
USE_LIBCAP_NG=%{USE_LIBCAP_NG} \
101101
USE_LABELED_IPSEC=%{USE_LABELED_IPSEC} \
102102
USE_LDAP=%{USE_CRL_FETCHING} \
@@ -143,8 +143,8 @@ install -d %{buildroot}%{_sbindir}
143143
# replace with rhel[56] specific version
144144
install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec
145145

146-
echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
147-
rm -fr %{buildroot}/etc/rc.d/rc*
146+
echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
147+
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
148148

149149
%files
150150
%doc BUGS CHANGES COPYING CREDITS README LICENSE
@@ -185,11 +185,13 @@ fi
185185
%if %{USE_FIPSCHECK}
186186
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
187187
%endif
188-
if [ ! -f /etc/ipsec.d/cert8.db ] ; then
189-
echo > /var/tmp/libreswan-nss-pwd
190-
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
191-
restorecon /etc/ipsec.d/*db 2>/dev/null || :
192-
rm /var/tmp/libreswan-nss-pwd
188+
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
189+
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
190+
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
191+
echo > ${TEMPFILE}
192+
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
193+
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
194+
rm -f ${TEMPFILE}
193195
fi
194196

195197
%changelog

Diff for: packaging/rhel/7/libreswan.spec

+7-5
Original file line numberDiff line numberDiff line change
@@ -190,11 +190,13 @@ rm -fr %{buildroot}/etc/rc.d/rc*
190190
%if %{USE_FIPSCHECK}
191191
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
192192
%endif
193-
if [ ! -f /etc/ipsec.d/cert8.db ] ; then
194-
echo > /var/tmp/libreswan-nss-pwd
195-
certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
196-
restorecon /etc/ipsec.d/*db 2>/dev/null || :
197-
rm /var/tmp/libreswan-nss-pwd
193+
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
194+
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
195+
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
196+
echo > ${TEMPFILE}
197+
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
198+
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
199+
rm -f ${TEMPFILE}
198200
fi
199201

200202
%changelog

0 commit comments

Comments
 (0)