tcpwrappers /etc/hosts.deny permissions bug fix

Bug fix to not modify /etc/hosts.deny permissions when removing tcpwrappers auto-block rules. This issue was reported as Debian bug #724267 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724267) and relayed via Franck Joncourt. Closes issue #7 on github.
mrash · Feb 15, 2014 · a06ce15 · a06ce15
1 parent 11ea904
commit a06ce15
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -8,6 +8,10 @@ psad-2.2.3 (//2014):
       copied to the /etc/init.d/ directory.
     - (Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface aliases
       in IGNORE_INTERFACES.  This fixes issue #8 on github.
+    - Bug fix to not modify /etc/hosts.deny permissions when removing
+      tcpwrappers auto-block rules. This issue was reported as Debian bug
+      #724267 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724267) and
+      relayed via Franck Joncourt. Closes issue #7 on github.
 
 psad-2.2.2 (01/13/2014):
     - Added detection for Errata Security's "Masscan" port scanner that was

diff --git a/psad b/psad
@@ -6819,6 +6819,9 @@ sub tcpwr_rm_block() {
         "$config{'ETC_HOSTS_DENY_FILE'}: $!";
     my @lines = <T>;
     close T;
+
+    my $orig_perms = (stat($config{'ETC_HOSTS_DENY_FILE'}))[2] & 07777;
+
     open T, "> $config{'ETC_HOSTS_DENY_FILE'}.tmp" or die '[*] Could not open ',
         "$config{'ETC_HOSTS_DENY_FILE'}.tmp: $!";
     for my $line (@lines) {
@@ -6836,6 +6839,10 @@ sub tcpwr_rm_block() {
         }
     }
     close T;
+
+    ### set permissions on the tmp file to be identical to the original
+    chmod $orig_perms, "$config{'ETC_HOSTS_DENY_FILE'}.tmp";
+
     move "$config{'ETC_HOSTS_DENY_FILE'}.tmp", $config{'ETC_HOSTS_DENY_FILE'}
         or die "[*] Could not move $config{'ETC_HOSTS_DENY_FILE'}.tmp -> ",
         "$config{'ETC_HOSTS_DENY_FILE'}";