Do not preserve capabilities when changing credentials
resolves: rhbz#2169748 Remove unnecessary capability CAP_PERFMON Add CAP_DAC_OVERRIDE to bypass file read and write permission checks resolves: rhbz#2158659
This commit is contained in:
alakatos
parent
9b1d2e0d33
commit
c32bc63063
67
rsyslog-8.2102.0-capabilities-drop-credential.patch
Normal file
67
rsyslog-8.2102.0-capabilities-drop-credential.patch
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
|
||||||
|
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-02-17 11:52:17.460043970 +0100
|
||||||
|
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-02-17 12:00:49.881602881 +0100
|
||||||
|
@@ -33,9 +33,6 @@
|
||||||
|
#include <sys/resource.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
-#ifdef ENABLE_LIBCAPNG
|
||||||
|
- #include <cap-ng.h>
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
#include "rsyslog.h"
|
||||||
|
#include "obj.h"
|
||||||
|
@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
|
||||||
|
uchar szBuf[1024];
|
||||||
|
DEFiRet;
|
||||||
|
|
||||||
|
-#ifndef ENABLE_LIBCAPNG
|
||||||
|
+
|
||||||
|
if(!ourConf->globals.gidDropPrivKeepSupplemental) {
|
||||||
|
res = setgroups(0, NULL); /* remove all supplemental group IDs */
|
||||||
|
if(res) {
|
||||||
|
@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
|
||||||
|
"could not set requested group id: %s via setgid()", szBuf);
|
||||||
|
ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
|
||||||
|
}
|
||||||
|
-#else
|
||||||
|
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
|
||||||
|
- res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
|
||||||
|
- if (res) {
|
||||||
|
- LogError(0, RS_RET_LIBCAPNG_ERR,
|
||||||
|
- "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
|
||||||
|
- ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
|
||||||
|
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
|
||||||
|
@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
|
||||||
|
iUid, szBuf);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifndef ENABLE_LIBCAPNG
|
||||||
|
+
|
||||||
|
res = setuid(iUid);
|
||||||
|
- // res = setuid(cnf->globals.uidDropPriv);
|
||||||
|
-#else
|
||||||
|
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
|
||||||
|
- res = capng_change_id(iUid, -1, capng_flags);
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
if(res) {
|
||||||
|
/* if we can not set the userid, this is fatal, so let's unconditionally abort */
|
||||||
|
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
|
||||||
|
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-02-17 11:52:00.011011019 +0100
|
||||||
|
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-02-17 11:58:37.322491823 +0100
|
||||||
|
@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
|
||||||
|
CAP_LEASE,
|
||||||
|
CAP_NET_ADMIN,
|
||||||
|
CAP_NET_BIND_SERVICE,
|
||||||
|
- CAP_PERFMON,
|
||||||
|
CAP_SETGID,
|
||||||
|
CAP_SETUID,
|
||||||
|
+ CAP_DAC_OVERRIDE,
|
||||||
|
CAP_SYS_ADMIN,
|
||||||
|
CAP_SYS_CHROOT,
|
||||||
|
CAP_SYS_RESOURCE,
|
||||||
11
rsyslog.spec
11
rsyslog.spec
@ -5,7 +5,7 @@
|
|||||||
Summary: Enhanced system logging and kernel message trapping daemon
|
Summary: Enhanced system logging and kernel message trapping daemon
|
||||||
Name: rsyslog
|
Name: rsyslog
|
||||||
Version: 8.2102.0
|
Version: 8.2102.0
|
||||||
Release: 109%{?dist}
|
Release: 110%{?dist}
|
||||||
License: (GPLv3+ and ASL 2.0)
|
License: (GPLv3+ and ASL 2.0)
|
||||||
URL: http://www.rsyslog.com/
|
URL: http://www.rsyslog.com/
|
||||||
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
|
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
|
||||||
@ -36,6 +36,7 @@ Patch14: rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
|
|||||||
Patch15: rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch
|
Patch15: rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch
|
||||||
Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
|
Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
|
||||||
Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
|
Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
|
||||||
|
Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -287,6 +288,7 @@ mv build doc
|
|||||||
%patch15 -p1 -b .extra-ca-files-doc
|
%patch15 -p1 -b .extra-ca-files-doc
|
||||||
%patch16 -p1 -b .libcap-ng
|
%patch16 -p1 -b .libcap-ng
|
||||||
%patch17 -p1 -b .imklog-leak
|
%patch17 -p1 -b .imklog-leak
|
||||||
|
%patch18 -p1 -b .capabilities-drop-credential
|
||||||
|
|
||||||
pushd ..
|
pushd ..
|
||||||
%patch9 -p1 -b .openssl-compatibility
|
%patch9 -p1 -b .openssl-compatibility
|
||||||
@ -552,6 +554,13 @@ done
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 17 2023 Attila Lakatos <alakatos@redhat.com> -8.2102.0-110
|
||||||
|
- Do not preserve capabilities when changing credentials
|
||||||
|
resolves: rhbz#2169748
|
||||||
|
- Remove unnecessary capability CAP_PERFMON
|
||||||
|
- Add CAP_DAC_OVERRIDE to bypass file read and write permission checks
|
||||||
|
resolves: rhbz#2158659
|
||||||
|
|
||||||
* Mon Jan 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-109
|
* Mon Jan 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-109
|
||||||
- Make rsyslog-relp require librelp>= 1.9.0
|
- Make rsyslog-relp require librelp>= 1.9.0
|
||||||
resolves: rhbz#2124440
|
resolves: rhbz#2124440
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user