3e644809f0
CVE-2024-23301 Upstream PR #3123 Resolves: RHEL-21534
33 lines
1.3 KiB
Diff
33 lines
1.3 KiB
Diff
From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
|
|
From: Johannes Meixner <jsmeix@suse.com>
|
|
Date: Fri, 12 Jan 2024 08:04:40 +0100
|
|
Subject: [PATCH] Make initrd accessible only by root (#3123)
|
|
|
|
In pack/GNU/Linux/900_create_initramfs.sh call
|
|
chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
|
|
to let only 'root' access the ReaR initrd because
|
|
the ReaR recovery system in the initrd can contain secrets
|
|
(not by default but when certain things are explicitly
|
|
configured by the user like SSH keys without passphrase)
|
|
see https://github.com/rear/rear/issues/3122
|
|
and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
|
|
---
|
|
usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
|
index 1e0c11039..12be718ed 100644
|
|
--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
|
+++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
|
|
@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
|
|
fi
|
|
;;
|
|
esac
|
|
+
|
|
+# Only root should be allowed to access the initrd
|
|
+# because the ReaR recovery system can contain secrets
|
|
+# cf. https://github.com/rear/rear/issues/3122
|
|
+test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
|
|
+
|
|
popd >/dev/null
|