Make initrd accessible only by root

2024-04-10 08:33:48 +03:00 · 2024-04-10 08:33:48 +03:00 · 3984d5b59c
commit 3984d5b59c
parent a3fe46d75a
2 changed files with 65 additions and 3 deletions
--- a/SOURCES/CVE-2024-23301.patch
+++ b/SOURCES/CVE-2024-23301.patch
@ -0,0 +1,54 @@
 From 7b0e8e2427cf6b10bffb410b66dd02272be3e386 Mon Sep 17 00:00:00 2001
 From: Johannes Meixner <jsmeix@suse.com>
 Date: Mon, 8 Jan 2024 14:40:42 +0100
 Subject: [PATCH 1/2] Make initrd accessible only by root
 In pack/GNU/Linux/900_create_initramfs.sh call
 chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
 to let only root access the initrd because
 the ReaR recovery system can contain secrets
 see https://github.com/rear/rear/issues/3122
 ---
 usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
 index 1e0c11039c..5d3f67a84b 100644
 --- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
 +++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
         fi
         ;;
 esac
 +
 +# Only root should allowed to access the initrd
 +# because the ReaR recovery system can contain secrets
 +# cf. https://github.com/rear/rear/issues/3122
 +test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
 +
 popd >/dev/null
 From 1271257aedaa78e703c140a99f374fcecb48b4fd Mon Sep 17 00:00:00 2001
 From: Johannes Meixner <jsmeix@suse.com>
 Date: Mon, 8 Jan 2024 15:57:36 +0100
 Subject: [PATCH 2/2] Update 900_create_initramfs.sh
 Typo fix in comment:
 "should allowed" -> "should be allowed"
 ---
 usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
 index 5d3f67a84b..12be718ed8 100644
 --- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
 +++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
@@ -126,7 +126,7 @@ case "$REAR_INITRD_COMPRESSION" in
         ;;
 esac
 -# Only root should allowed to access the initrd
 +# Only root should be allowed to access the initrd
 # because the ReaR recovery system can contain secrets
 # cf. https://github.com/rear/rear/issues/3122
 test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
--- a/SPECS/rear.spec
+++ b/SPECS/rear.spec
@ -3,7 +3,7 @@
 Summary:    Relax-and-Recover is a Linux disaster recovery and system migration tool
 Name:       rear
 Version:    2.6
-Release:    10%{?dist}
+Release:    11%{?dist}.alma.1
 License:    GPLv3
 Group:      Applications/File
 URL:        http://relax-and-recover.org/
@ -40,6 +40,10 @@ Patch60: rear-luks-key-bz2228779.patch
 Patch61: rear-uefi-usb-secureboot-bz2196445.patch
 Patch62: rear-vg-command-not-found-bz2121476.patch
 # Patches were taken from:
 # https://github.com/rear/rear/pull/3123
 Patch63: CVE-2024-23301.patch
 ### Dependencies on all distributions
 BuildRequires:   asciidoc
 Requires:   binutils
@ -171,6 +175,7 @@ fi
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 echo "30 1 * * * root test -f /var/lib/rear/layout/disklayout.conf && /usr/sbin/rear checklayout || /usr/sbin/rear mkrescue" >rear.cron
@ -204,6 +209,9 @@ TZ=UTC %{__make} -C doc
 %{_sbindir}/rear
 %changelog
 * Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2.6-11.alma.1
 - Make initrd accessible only by root (CVE-2024-23301)
 * Tue Aug 22 2023 Pavel Cahyna <pcahyna@redhat.com> - 2.6-10
 - Apply PR 3027 to ensure correct creation of the rescue environment
  when a file is shrinking while being read