Fixes RHEL-31951

Backport Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 Resolves #RHEL-31951
2024-04-09 09:15:38 -04:00 · 2024-04-09 09:15:38 -04:00 · d2dcf5861e
parent 84202ad9c1
commit d2dcf5861e
5 changed files with 176 additions and 121 deletions
--- a/0001-cliwrap-rpm-mark-eval-E-as-safe.patch
+++ b/0001-cliwrap-rpm-mark-eval-E-as-safe.patch
@ -1,56 +0,0 @@
-From d02993e30078db2a04820065ccbf22bd56d0d064 Mon Sep 17 00:00:00 2001
-From: Jonathan Lebon <jonathan@jlebon.com>
-Date: Thu, 22 Feb 2024 14:44:50 -0500
-Subject: [PATCH] cliwrap/rpm: mark `--eval`/`-E` as safe
-
-This is sometimes used in scripts to query aspects of the host system.
-E.g. this is used by Fedora's pkg-config:
-
-https://src.fedoraproject.org/rpms/pkgconf/blob/95c0bbee/f/pkg-config.in#_6
-
-This in turn gets hit by kdump which runs dracut which has modules that
-runs `pkgconf` to query some directory paths.
---
- rust/src/cliwrap/rpm.rs | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/rust/src/cliwrap/rpm.rs b/rust/src/cliwrap/rpm.rs
-index c6ed5901..3332f76c 100644
--- a/rust/src/cliwrap/rpm.rs
-+++ b/rust/src/cliwrap/rpm.rs
-@@ -19,6 +19,12 @@ fn new_rpm_app() -> Command {
-                 .long("version")
-                 .action(clap::ArgAction::Version),
-         )
-+        .arg(
-+            Arg::new("eval")
-+                .long("eval")
-+                .short('E')
-+                .action(clap::ArgAction::Set),
-+        )
-         .arg(
-             Arg::new("package")
-                 .help("package")
-@@ -130,6 +136,19 @@ mod tests {
-         Ok(())
-     }
- 
-+    #[test]
-+    fn test_eval() -> Result<()> {
-+        assert_eq!(
-+            disposition(SystemHostType::OstreeHost, &["-E", "%{_target_cpu}"])?,
-+            RunDisposition::Ok
-+        );
-+        assert_eq!(
-+            disposition(SystemHostType::OstreeHost, &["--eval=%{_target_cpu}}"])?,
-+            RunDisposition::Ok
-+        );
-+        Ok(())
-+    }
-+
-     #[test]
-     fn test_query_file() -> Result<()> {
-         assert_eq!(
-- 
-2.43.2
-
--- a/0001-main-Update-ostree-ext-add-provisional-repair-entryp.patch
+++ b/0001-main-Update-ostree-ext-add-provisional-repair-entryp.patch
@ -1,64 +0,0 @@
-From 53fb8c7cb7075e4ecda4564f3a17af84ad4a2e32 Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Fri, 21 Jul 2023 15:21:00 -0400
-Subject: [PATCH] main: Update ostree-ext, add provisional-repair entrypoint
-
-This updates us to vendor the provisional-repair code.  One can
-now run `ostree provisional-repair` directly.
-
-(Yes, it's very confusing how in rpm-ostree, we vendor the ostree-ext
- source, and then install a wrapper symlink which tells the main
- (C) `ostree` binary to call back into us... but it's how the
- `ostree container` stuff has been working for a long time)
---
- Cargo.lock             | 4 ++--
- Makefile-rpm-ostree.am | 1 +
- rust/src/main.rs       | 4 +++-
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/Cargo.lock b/Cargo.lock
-index 5ae6366a..c6826a4d 100644
--- a/Cargo.lock
-+++ b/Cargo.lock
-@@ -1775,9 +1775,9 @@ dependencies = [
- 
- [[package]]
- name = "ostree-ext"
-version = "0.11.1"
-+version = "0.11.3"
- source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a690495144c18cb333a67a2ec61dd008831710bbd37804cfa79ab93b51146a6f"
-+checksum = "8511513a60fa0c20a84ba8d30255286687c848bec21d24cd3dd4d16ecf48123b"
- dependencies = [
-  "anyhow",
-  "async-compression 0.3.15",
-diff --git a/Makefile-rpm-ostree.am b/Makefile-rpm-ostree.am
-index 2ef84f83..be80a6d7 100644
--- a/Makefile-rpm-ostree.am
-+++ b/Makefile-rpm-ostree.am
-@@ -132,6 +132,7 @@ install-rpmostree-hook:
- 	install -m 0755 -t $(DESTDIR)$(bindir) rpm-ostree
- 	install -d -m 0755 $(ostreeextdir)
- 	ln -Tsr -f $(DESTDIR)$(bindir)/rpm-ostree $(ostreeextdir)/ostree-ima-sign 
-+	ln -Tsr -f $(DESTDIR)$(bindir)/rpm-ostree $(ostreeextdir)/ostree-provisional-repair 
- 	ln -Tsr -f $(DESTDIR)$(bindir)/rpm-ostree $(ostreeextdir)/ostree-container
- INSTALL_EXEC_HOOKS += install-rpmostree-hook
- 
-diff --git a/rust/src/main.rs b/rust/src/main.rs
-index 9088c5f0..569cf094 100644
--- a/rust/src/main.rs
-+++ b/rust/src/main.rs
-@@ -53,7 +53,9 @@ async fn dispatch_ostree_ext(args: Vec<String>) -> Result<i32> {
- /// Dispatch multicall binary to relevant logic, based on callname from `argv[0]`.
- async fn dispatch_multicall(callname: String, args: Vec<String>) -> Result<i32> {
-     match callname.as_str() {
-        "ostree-container" | "ostree-ima-sign" => dispatch_ostree_ext(args).await,
-+        "ostree-container" | "ostree-ima-sign" | "ostree-provisional-repair" => {
-+            dispatch_ostree_ext(args).await
-+        }
-         _ => inner_async_main(args).await, // implicitly includes "rpm-ostree"
-     }
- }
-- 
-2.40.1
-
--- a/0001-unit-chmod-etc-g-shadow-to-0000.patch
+++ b/0001-unit-chmod-etc-g-shadow-to-0000.patch
@ -0,0 +1,79 @@
+From 7d27c0a85af81d8f6dffc8bf1fa0ab13b77859c0 Mon Sep 17 00:00:00 2001
+From: jbtrystram <jbtrystram@redhat.com>
+Date: Thu, 21 Mar 2024 17:27:21 +0100
+Subject: [PATCH 1/2] unit: chmod /etc/[g]shadow[-] to 0000
+
+fdb879c introduced a regression where /etc/[g]shadow[-] files where
+created with default permissions: 0644
+
+This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
+before interactive login is allowed on a system.
+
+This will fix the systems that were deployed with the above issue.
+
+We keep the stamp in /etc to account for the case where a deployment
+with this unit is rolled back. If we used /var, the stamp would have
+stayed but the fix would not be re-applied on the next update.
+---
+ Makefile-daemon.am                            |  1 +
+ packaging/rpm-ostree.spec.in                  |  5 +++++
+ src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
+ 3 files changed, 25 insertions(+)
+ create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
+
+diff --git a/Makefile-daemon.am b/Makefile-daemon.am
+index 4233d90d..f96f49a9 100644
+--- a/Makefile-daemon.am
+++ b/Makefile-daemon.am
+@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
+ 	rpm-ostreed-automatic.service \
+ 	rpm-ostree-bootstatus.service \
+ 	rpm-ostree-countme.service \
+	rpm-ostree-fix-shadow-mode.service \
+ 	$(NULL)
+ 
+ systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
+diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
+index 8aa9afaa..f734f676 100644
+--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
+@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
+ # Setup rpm-ostree-countme.timer according to presets
+ %post
+ %systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
+fi
+ 
+ %preun
+ %systemd_preun rpm-ostree-countme.timer
+diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
+new file mode 100644
+index 00000000..4aea7462
+--- /dev/null
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
+@@ -0,0 +1,19 @@
+[Unit]
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=/run/ostree-booted
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+-- 
+2.44.0
+
--- a/0002-passwd-create-etc-g-shadow-with-mode-0.patch
+++ b/0002-passwd-create-etc-g-shadow-with-mode-0.patch
@ -0,0 +1,83 @@
+From 3b4c96c5c49a537fba2e0cda0c6ee6bd58cac625 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Tue, 19 Mar 2024 15:20:43 -0400
+Subject: [PATCH 2/2] passwd: create `/etc/[g]shadow` with mode 0
+
+Because of how our composes work, we need to manually inject
+passwd-related things before installing packages. A somewhat recent
+regression in that area made it so that the `/etc/shadow` and
+`/etc/gshadow` files were created with default permissions (0644), which
+meant they were world readable.
+
+Fix this by explicitly setting their modes to 0. Ideally, we would rely
+on the canonical permissions set in the `setup` package here, but it's
+tricky to fix that without reworking how we install `setup` and handle
+`passwd` treefile options.
+
+Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
+`etc/{passwd,group}`").
+
+Fixes #4401
+---
+ rust/src/passwd.rs             | 14 ++++++++++++++
+ tests/compose/libbasic-test.sh |  5 +++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index 79ee488f..8f0e5841 100644
+--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
+@@ -421,6 +421,12 @@ fn write_data_from_treefile(
+     let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
+     let shadow_name = target.shadow_file();
+     let target_shadow_path = format!("{}{}", dest_path, shadow_name);
+    // Ideally these permissions come from `setup`, which is the package
+    // that owns these files:
+    // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
+    // But at this point of the compose, the rootfs is completely empty; we
+    // haven't started unpacking things yet. So we need to hardcode it here.
+    let shadow_perms = cap_std::fs::Permissions::from_mode(0);
+ 
+     match target {
+         PasswdKind::User => {
+@@ -430,6 +436,10 @@ fn write_data_from_treefile(
+                     for user in entries {
+                         writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
+                     }
+                    target_shadow
+                        .get_mut()
+                        .as_file_mut()
+                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+@@ -441,6 +451,10 @@ fn write_data_from_treefile(
+                     for group in entries {
+                         writeln!(target_shadow, "{}:::", group.name)?;
+                     }
+                    target_shadow
+                        .get_mut()
+                        .as_file_mut()
+                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
+index 0a751760..3f7c6d8a 100644
+--- a/tests/compose/libbasic-test.sh
+++ b/tests/compose/libbasic-test.sh
+@@ -22,6 +22,11 @@ validate_passwd group
+ ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
+ assert_file_has_content_literal passwd.txt '00644 '
+ 
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
+assert_file_has_content_literal shadow.txt '00000 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
+assert_file_has_content_literal gshadow.txt '00000 '
+
+ ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
+ assert_file_has_content_literal useradd.txt HOME=/var/home
+ 
+-- 
+2.44.0
+
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@ -4,7 +4,7 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2024.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: LGPLv2+
 URL: https://github.com/coreos/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
@ -13,6 +13,8 @@ Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-

 # https://issues.redhat.com/browse/RHEL-29559
 Patch0: 0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
+Patch1: 0001-unit-chmod-etc-g-shadow-to-0000.patch
+Patch2: 0002-passwd-create-etc-g-shadow-with-mode-0.patch

 ExclusiveArch: %{rust_arches}

@ -232,6 +234,13 @@ $PYTHON autofiles.py > files.devel \
  '%{_datadir}/gtk-doc/html/*' \
  '%{_datadir}/gir-1.0/*-1.0.gir'

+%post
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
+fi
+
 %files -f files
 %doc COPYING.GPL COPYING.LGPL LICENSE README.md

@ -240,6 +249,10 @@ $PYTHON autofiles.py > files.devel \
 %files devel -f files.devel

 %changelog
+* Tue Apr 09 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.4-4
+- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
+  Resolves: #RHEL-31951
+
 * Thu Mar 21 2024 Colin Walters <walters@verbum.org> - 2024.4-3
 - Backport patch to fix https://issues.redhat.com/browse/RHEL-29559