Make initrd accessible only by root

This commit is contained in:
eabdullin 2024-04-10 08:33:48 +03:00
parent a3fe46d75a
commit 3984d5b59c
2 changed files with 65 additions and 3 deletions

View File

@ -0,0 +1,54 @@
From 7b0e8e2427cf6b10bffb410b66dd02272be3e386 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Mon, 8 Jan 2024 14:40:42 +0100
Subject: [PATCH 1/2] Make initrd accessible only by root
In pack/GNU/Linux/900_create_initramfs.sh call
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
to let only root access the initrd because
the ReaR recovery system can contain secrets
see https://github.com/rear/rear/issues/3122
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 1e0c11039c..5d3f67a84b 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
fi
;;
esac
+
+# Only root should allowed to access the initrd
+# because the ReaR recovery system can contain secrets
+# cf. https://github.com/rear/rear/issues/3122
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+
popd >/dev/null
From 1271257aedaa78e703c140a99f374fcecb48b4fd Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Mon, 8 Jan 2024 15:57:36 +0100
Subject: [PATCH 2/2] Update 900_create_initramfs.sh
Typo fix in comment:
"should allowed" -> "should be allowed"
---
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
index 5d3f67a84b..12be718ed8 100644
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -126,7 +126,7 @@ case "$REAR_INITRD_COMPRESSION" in
;;
esac
-# Only root should allowed to access the initrd
+# Only root should be allowed to access the initrd
# because the ReaR recovery system can contain secrets
# cf. https://github.com/rear/rear/issues/3122
test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"

View File

@ -3,7 +3,7 @@
Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool
Name: rear Name: rear
Version: 2.6 Version: 2.6
Release: 10%{?dist} Release: 11%{?dist}.alma.1
License: GPLv3 License: GPLv3
Group: Applications/File Group: Applications/File
URL: http://relax-and-recover.org/ URL: http://relax-and-recover.org/
@ -40,6 +40,10 @@ Patch60: rear-luks-key-bz2228779.patch
Patch61: rear-uefi-usb-secureboot-bz2196445.patch Patch61: rear-uefi-usb-secureboot-bz2196445.patch
Patch62: rear-vg-command-not-found-bz2121476.patch Patch62: rear-vg-command-not-found-bz2121476.patch
# Patches were taken from:
# https://github.com/rear/rear/pull/3123
Patch63: CVE-2024-23301.patch
### Dependencies on all distributions ### Dependencies on all distributions
BuildRequires: asciidoc BuildRequires: asciidoc
Requires: binutils Requires: binutils
@ -171,6 +175,7 @@ fi
%patch60 -p1 %patch60 -p1
%patch61 -p1 %patch61 -p1
%patch62 -p1 %patch62 -p1
%patch63 -p1
echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron
@ -204,6 +209,9 @@ TZ=UTC %{__make} -C doc
%{_sbindir}/rear %{_sbindir}/rear
%changelog %changelog
* Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2.6-11.alma.1
- Make initrd accessible only by root (CVE-2024-23301)
* Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10 * Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10
- Apply PR 3027 to ensure correct creation of the rescue environment - Apply PR 3027 to ensure correct creation of the rescue environment
when a file is shrinking while being read when a file is shrinking while being read