rpms/rsyslog
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Do not preserve capabilities when changing credentials

Browse Source 
resolves: rhbz#2169748
Remove unnecessary capability CAP_PERFMON
Add CAP_DAC_OVERRIDE to bypass file read and write permission checks
  resolves: rhbz#2158659
This commit is contained in:
alakatos 2023-02-17 13:30:03 +01:00
parent 9b1d2e0d33
commit c32bc63063
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
rsyslog-8.2102.0-capabilities-drop-credential.patch Normal file
View File

@ -0,0 +1,67 @@
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-02-17 11:52:17.460043970 +0100
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-02-17 12:00:49.881602881 +0100
@@ -33,9 +33,6 @@
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/stat.h>
-#ifdef ENABLE_LIBCAPNG
- #include <cap-ng.h>
-#endif
#include "rsyslog.h"
#include "obj.h"
@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
uchar szBuf[1024];
DEFiRet;
-#ifndef ENABLE_LIBCAPNG
+
if(!ourConf->globals.gidDropPrivKeepSupplemental) {
res = setgroups(0, NULL); /* remove all supplemental group IDs */
if(res) {
@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
"could not set requested group id: %s via setgid()", szBuf);
ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
}
-#else
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
- res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
- if (res) {
- LogError(0, RS_RET_LIBCAPNG_ERR,
- "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
- ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
- }
-#endif
DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
iUid, szBuf);
}
-#ifndef ENABLE_LIBCAPNG
+
res = setuid(iUid);
- // res = setuid(cnf->globals.uidDropPriv);
-#else
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
- res = capng_change_id(iUid, -1, capng_flags);
-#endif
if(res) {
/* if we can not set the userid, this is fatal, so let's unconditionally abort */
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-02-17 11:52:00.011011019 +0100
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-02-17 11:58:37.322491823 +0100
@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
CAP_LEASE,
CAP_NET_ADMIN,
CAP_NET_BIND_SERVICE,
- CAP_PERFMON,
CAP_SETGID,
CAP_SETUID,
+ CAP_DAC_OVERRIDE,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
CAP_SYS_RESOURCE,

11
rsyslog.spec
View File

@ -5,7 +5,7 @@
Summary: Enhanced system logging and kernel message trapping daemon
Name: rsyslog
Version: 8.2102.0
Release: 109%{?dist}
Release: 110%{?dist}
License: (GPLv3+ and ASL 2.0)
URL: http://www.rsyslog.com/
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@ -36,6 +36,7 @@ Patch14: rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
Patch15: rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch
Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch
BuildRequires: make
BuildRequires: gcc
@ -287,6 +288,7 @@ mv build doc
%patch15 -p1 -b .extra-ca-files-doc
%patch16 -p1 -b .libcap-ng
%patch17 -p1 -b .imklog-leak
%patch18 -p1 -b .capabilities-drop-credential
pushd ..
%patch9 -p1 -b .openssl-compatibility
@ -552,6 +554,13 @@ done
%changelog
* Fri Feb 17 2023 Attila Lakatos <alakatos@redhat.com> -8.2102.0-110
- Do not preserve capabilities when changing credentials
resolves: rhbz#2169748
- Remove unnecessary capability CAP_PERFMON
- Add CAP_DAC_OVERRIDE to bypass file read and write permission checks
resolves: rhbz#2158659
* Mon Jan 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-109
- Make rsyslog-relp require librelp>= 1.9.0
resolves: rhbz#2124440