Fix incorrect permissions on kdump dmesg file

Also known as CVE-2021-20269. The kdump dmesg log files(kexec-dmesg.log,
vmcore-dmesg.txt) are generated by shell redirection, which take the
default umask value, making the files readable for group and others.

This patch chmod these files, making them only accessible to owner.

Signed-off-by: Tao Liu <ltao@redhat.com>
Acked-by: Kairui Song <kasong@redhat.com>
This commit is contained in:
Tao Liu 2021-03-18 16:52:46 +08:00 committed by Kairui Song
parent 00785873ef
commit 91c802ff52
2 changed files with 3 additions and 0 deletions

View File

@ -849,6 +849,7 @@ install() {
inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg" inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg"
inst "/usr/bin/printf" "/sbin/printf" inst "/usr/bin/printf" "/sbin/printf"
inst "/usr/bin/logger" "/sbin/logger" inst "/usr/bin/logger" "/sbin/logger"
inst "/usr/bin/chmod" "/sbin/chmod"
inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh" inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh"
inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh" inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh"
inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh" inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh"

View File

@ -111,6 +111,7 @@ save_log()
if command -v journalctl > /dev/null; then if command -v journalctl > /dev/null; then
journalctl -ab >> $KDUMP_LOG_FILE journalctl -ab >> $KDUMP_LOG_FILE
fi fi
chmod 600 $KDUMP_LOG_FILE
} }
# dump_fs <mount point> # dump_fs <mount point>
@ -178,6 +179,7 @@ save_vmcore_dmesg_fs() {
_exitcode=$? _exitcode=$?
if [ $_exitcode -eq 0 ]; then if [ $_exitcode -eq 0 ]; then
mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt
chmod 600 ${_path}/vmcore-dmesg.txt
# Make sure file is on disk. There have been instances where later # Make sure file is on disk. There have been instances where later
# saving vmcore failed and system rebooted without sync and there # saving vmcore failed and system rebooted without sync and there