Fix incorrect permissions on kdump dmesg file
Also known as CVE-2021-20269. The kdump dmesg log files(kexec-dmesg.log, vmcore-dmesg.txt) are generated by shell redirection, which take the default umask value, making the files readable for group and others. This patch chmod these files, making them only accessible to owner. Signed-off-by: Tao Liu <ltao@redhat.com> Acked-by: Kairui Song <kasong@redhat.com>
This commit is contained in:
parent
00785873ef
commit
91c802ff52
@ -849,6 +849,7 @@ install() {
|
|||||||
inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg"
|
inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg"
|
||||||
inst "/usr/bin/printf" "/sbin/printf"
|
inst "/usr/bin/printf" "/sbin/printf"
|
||||||
inst "/usr/bin/logger" "/sbin/logger"
|
inst "/usr/bin/logger" "/sbin/logger"
|
||||||
|
inst "/usr/bin/chmod" "/sbin/chmod"
|
||||||
inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh"
|
inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh"
|
||||||
inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh"
|
inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh"
|
||||||
inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh"
|
inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh"
|
||||||
|
@ -111,6 +111,7 @@ save_log()
|
|||||||
if command -v journalctl > /dev/null; then
|
if command -v journalctl > /dev/null; then
|
||||||
journalctl -ab >> $KDUMP_LOG_FILE
|
journalctl -ab >> $KDUMP_LOG_FILE
|
||||||
fi
|
fi
|
||||||
|
chmod 600 $KDUMP_LOG_FILE
|
||||||
}
|
}
|
||||||
|
|
||||||
# dump_fs <mount point>
|
# dump_fs <mount point>
|
||||||
@ -178,6 +179,7 @@ save_vmcore_dmesg_fs() {
|
|||||||
_exitcode=$?
|
_exitcode=$?
|
||||||
if [ $_exitcode -eq 0 ]; then
|
if [ $_exitcode -eq 0 ]; then
|
||||||
mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt
|
mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt
|
||||||
|
chmod 600 ${_path}/vmcore-dmesg.txt
|
||||||
|
|
||||||
# Make sure file is on disk. There have been instances where later
|
# Make sure file is on disk. There have been instances where later
|
||||||
# saving vmcore failed and system rebooted without sync and there
|
# saving vmcore failed and system rebooted without sync and there
|
||||||
|
Loading…
Reference in New Issue
Block a user