Fixes RHEL-31951

Backport Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6

Resolves #RHEL-31951
This commit is contained in:
Joseph Marrero 2024-04-09 09:15:38 -04:00
parent 84202ad9c1
commit d2dcf5861e
5 changed files with 176 additions and 121 deletions

View File

@ -1,56 +0,0 @@
From d02993e30078db2a04820065ccbf22bd56d0d064 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Thu, 22 Feb 2024 14:44:50 -0500
Subject: [PATCH] cliwrap/rpm: mark `--eval`/`-E` as safe
This is sometimes used in scripts to query aspects of the host system.
E.g. this is used by Fedora's pkg-config:
https://src.fedoraproject.org/rpms/pkgconf/blob/95c0bbee/f/pkg-config.in#_6
This in turn gets hit by kdump which runs dracut which has modules that
runs `pkgconf` to query some directory paths.
---
rust/src/cliwrap/rpm.rs | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/rust/src/cliwrap/rpm.rs b/rust/src/cliwrap/rpm.rs
index c6ed5901..3332f76c 100644
--- a/rust/src/cliwrap/rpm.rs
+++ b/rust/src/cliwrap/rpm.rs
@@ -19,6 +19,12 @@ fn new_rpm_app() -> Command {
.long("version")
.action(clap::ArgAction::Version),
)
+ .arg(
+ Arg::new("eval")
+ .long("eval")
+ .short('E')
+ .action(clap::ArgAction::Set),
+ )
.arg(
Arg::new("package")
.help("package")
@@ -130,6 +136,19 @@ mod tests {
Ok(())
}
+ #[test]
+ fn test_eval() -> Result<()> {
+ assert_eq!(
+ disposition(SystemHostType::OstreeHost, &["-E", "%{_target_cpu}"])?,
+ RunDisposition::Ok
+ );
+ assert_eq!(
+ disposition(SystemHostType::OstreeHost, &["--eval=%{_target_cpu}}"])?,
+ RunDisposition::Ok
+ );
+ Ok(())
+ }
+
#[test]
fn test_query_file() -> Result<()> {
assert_eq!(
--
2.43.2

View File

@ -1,64 +0,0 @@
From 53fb8c7cb7075e4ecda4564f3a17af84ad4a2e32 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 21 Jul 2023 15:21:00 -0400
Subject: [PATCH] main: Update ostree-ext, add provisional-repair entrypoint
This updates us to vendor the provisional-repair code. One can
now run `ostree provisional-repair` directly.
(Yes, it's very confusing how in rpm-ostree, we vendor the ostree-ext
source, and then install a wrapper symlink which tells the main
(C) `ostree` binary to call back into us... but it's how the
`ostree container` stuff has been working for a long time)
---
Cargo.lock | 4 ++--
Makefile-rpm-ostree.am | 1 +
rust/src/main.rs | 4 +++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/Cargo.lock b/Cargo.lock
index 5ae6366a..c6826a4d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1775,9 +1775,9 @@ dependencies = [
[[package]]
name = "ostree-ext"
-version = "0.11.1"
+version = "0.11.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a690495144c18cb333a67a2ec61dd008831710bbd37804cfa79ab93b51146a6f"
+checksum = "8511513a60fa0c20a84ba8d30255286687c848bec21d24cd3dd4d16ecf48123b"
dependencies = [
"anyhow",
"async-compression 0.3.15",
diff --git a/Makefile-rpm-ostree.am b/Makefile-rpm-ostree.am
index 2ef84f83..be80a6d7 100644
--- a/Makefile-rpm-ostree.am
+++ b/Makefile-rpm-ostree.am
@@ -132,6 +132,7 @@ install-rpmostree-hook:
install -m 0755 -t $(DESTDIR)$(bindir) rpm-ostree
install -d -m 0755 $(ostreeextdir)
ln -Tsr -f $(DESTDIR)$(bindir)/rpm-ostree $(ostreeextdir)/ostree-ima-sign
+ ln -Tsr -f $(DESTDIR)$(bindir)/rpm-ostree $(ostreeextdir)/ostree-provisional-repair
ln -Tsr -f $(DESTDIR)$(bindir)/rpm-ostree $(ostreeextdir)/ostree-container
INSTALL_EXEC_HOOKS += install-rpmostree-hook
diff --git a/rust/src/main.rs b/rust/src/main.rs
index 9088c5f0..569cf094 100644
--- a/rust/src/main.rs
+++ b/rust/src/main.rs
@@ -53,7 +53,9 @@ async fn dispatch_ostree_ext(args: Vec<String>) -> Result<i32> {
/// Dispatch multicall binary to relevant logic, based on callname from `argv[0]`.
async fn dispatch_multicall(callname: String, args: Vec<String>) -> Result<i32> {
match callname.as_str() {
- "ostree-container" | "ostree-ima-sign" => dispatch_ostree_ext(args).await,
+ "ostree-container" | "ostree-ima-sign" | "ostree-provisional-repair" => {
+ dispatch_ostree_ext(args).await
+ }
_ => inner_async_main(args).await, // implicitly includes "rpm-ostree"
}
}
--
2.40.1

View File

@ -0,0 +1,79 @@
From 7d27c0a85af81d8f6dffc8bf1fa0ab13b77859c0 Mon Sep 17 00:00:00 2001
From: jbtrystram <jbtrystram@redhat.com>
Date: Thu, 21 Mar 2024 17:27:21 +0100
Subject: [PATCH 1/2] unit: chmod /etc/[g]shadow[-] to 0000
fdb879c introduced a regression where /etc/[g]shadow[-] files where
created with default permissions: 0644
This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
before interactive login is allowed on a system.
This will fix the systems that were deployed with the above issue.
We keep the stamp in /etc to account for the case where a deployment
with this unit is rolled back. If we used /var, the stamp would have
stayed but the fix would not be re-applied on the next update.
---
Makefile-daemon.am | 1 +
packaging/rpm-ostree.spec.in | 5 +++++
src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
3 files changed, 25 insertions(+)
create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
diff --git a/Makefile-daemon.am b/Makefile-daemon.am
index 4233d90d..f96f49a9 100644
--- a/Makefile-daemon.am
+++ b/Makefile-daemon.am
@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
rpm-ostreed-automatic.service \
rpm-ostree-bootstatus.service \
rpm-ostree-countme.service \
+ rpm-ostree-fix-shadow-mode.service \
$(NULL)
systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
index 8aa9afaa..f734f676 100644
--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
# Setup rpm-ostree-countme.timer according to presets
%post
%systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/
+fi
%preun
%systemd_preun rpm-ostree-countme.timer
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
new file mode 100644
index 00000000..4aea7462
--- /dev/null
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -0,0 +1,19 @@
+[Unit]
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=/run/ostree-booted
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--
2.44.0

View File

@ -0,0 +1,83 @@
From 3b4c96c5c49a537fba2e0cda0c6ee6bd58cac625 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 19 Mar 2024 15:20:43 -0400
Subject: [PATCH 2/2] passwd: create `/etc/[g]shadow` with mode 0
Because of how our composes work, we need to manually inject
passwd-related things before installing packages. A somewhat recent
regression in that area made it so that the `/etc/shadow` and
`/etc/gshadow` files were created with default permissions (0644), which
meant they were world readable.
Fix this by explicitly setting their modes to 0. Ideally, we would rely
on the canonical permissions set in the `setup` package here, but it's
tricky to fix that without reworking how we install `setup` and handle
`passwd` treefile options.
Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
`etc/{passwd,group}`").
Fixes #4401
---
rust/src/passwd.rs | 14 ++++++++++++++
tests/compose/libbasic-test.sh | 5 +++++
2 files changed, 19 insertions(+)
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index 79ee488f..8f0e5841 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -421,6 +421,12 @@ fn write_data_from_treefile(
let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
let shadow_name = target.shadow_file();
let target_shadow_path = format!("{}{}", dest_path, shadow_name);
+ // Ideally these permissions come from `setup`, which is the package
+ // that owns these files:
+ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
+ // But at this point of the compose, the rootfs is completely empty; we
+ // haven't started unpacking things yet. So we need to hardcode it here.
+ let shadow_perms = cap_std::fs::Permissions::from_mode(0);
match target {
PasswdKind::User => {
@@ -430,6 +436,10 @@ fn write_data_from_treefile(
for user in entries {
writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
@@ -441,6 +451,10 @@ fn write_data_from_treefile(
for group in entries {
writeln!(target_shadow, "{}:::", group.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
index 0a751760..3f7c6d8a 100644
--- a/tests/compose/libbasic-test.sh
+++ b/tests/compose/libbasic-test.sh
@@ -22,6 +22,11 @@ validate_passwd group
ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
assert_file_has_content_literal passwd.txt '00644 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
+assert_file_has_content_literal shadow.txt '00000 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
+assert_file_has_content_literal gshadow.txt '00000 '
+
ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
assert_file_has_content_literal useradd.txt HOME=/var/home
--
2.44.0

View File

@ -4,7 +4,7 @@
Summary: Hybrid image/package system Summary: Hybrid image/package system
Name: rpm-ostree Name: rpm-ostree
Version: 2024.4 Version: 2024.4
Release: 3%{?dist} Release: 4%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/coreos/rpm-ostree URL: https://github.com/coreos/rpm-ostree
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
@ -13,6 +13,8 @@ Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-
# https://issues.redhat.com/browse/RHEL-29559 # https://issues.redhat.com/browse/RHEL-29559
Patch0: 0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch Patch0: 0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
Patch1: 0001-unit-chmod-etc-g-shadow-to-0000.patch
Patch2: 0002-passwd-create-etc-g-shadow-with-mode-0.patch
ExclusiveArch: %{rust_arches} ExclusiveArch: %{rust_arches}
@ -232,6 +234,13 @@ $PYTHON autofiles.py > files.devel \
'%{_datadir}/gtk-doc/html/*' \ '%{_datadir}/gtk-doc/html/*' \
'%{_datadir}/gir-1.0/*-1.0.gir' '%{_datadir}/gir-1.0/*-1.0.gir'
%post
# Only enable on rpm-ostree based systems and manually force unit enablement to
# explicitly ignore presets for this security fix
if [ -e /run/ostree-booted ]; then
ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/
fi
%files -f files %files -f files
%doc COPYING.GPL COPYING.LGPL LICENSE README.md %doc COPYING.GPL COPYING.LGPL LICENSE README.md
@ -240,6 +249,10 @@ $PYTHON autofiles.py > files.devel \
%files devel -f files.devel %files devel -f files.devel
%changelog %changelog
* Tue Apr 09 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.4-4
- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Resolves: #RHEL-31951
* Thu Mar 21 2024 Colin Walters <walters@verbum.org> - 2024.4-3 * Thu Mar 21 2024 Colin Walters <walters@verbum.org> - 2024.4-3
- Backport patch to fix https://issues.redhat.com/browse/RHEL-29559 - Backport patch to fix https://issues.redhat.com/browse/RHEL-29559