rpms/rust-coreos-installer
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 0.10.0

Browse Source
This commit is contained in:
Jonathan Lebon 2021-08-04 21:03:23 -04:00
parent 17000d2332
commit 6dc79d1fad
4 changed files with 7 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,3 +10,4 @@
/coreos-installer-0.8.0.crate
/coreos-installer-0.9.0.crate
/coreos-installer-0.9.1.crate
/coreos-installer-0.10.0.crate

8
rust-coreos-installer.spec
View File

@ -8,15 +8,14 @@
%global crate coreos-installer
Name: rust-%{crate}
Version: 0.9.1
Release: 3%{?dist}
Version: 0.10.0
Release: 1%{?dist}
Summary: Installer for Fedora CoreOS and RHEL CoreOS
# Upstream license specification: Apache-2.0
License: ASL 2.0
URL: https://crates.io/crates/coreos-installer
Source: %{crates_source}
Patch0: v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch
ExclusiveArch: %{rust_arches}
@ -129,6 +128,9 @@ RHEL CoreOS. It is not needed on other platforms.
%endif
%changelog
* Wed Aug 04 2021 Jonathan Lebon <jonathan@jlebon.com> - 0.10.0-1
- New release
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (coreos-installer-0.9.1.crate) = 24560d7b427214fe8d59228e631e6af4f36d20c52b746d917d168869de2e7d8b5f4abc633eed98f5c098edbb9bc168fb24a982f4f9651a9335bb211c55657ec8
SHA512 (coreos-installer-0.10.0.crate) = 90fbc9727a737e7acb9464854f448e6a39c5fe02f68f8a2388200293d6a10268775bcde2f904195386363fdf1b9d24d34f72aa6b55b8667f1db60ae7e0f25d71

72
v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch
View File

@ -1,72 +0,0 @@
From 2a36405339c87b16ed6c76e91ad5b76638fbdb0c Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@redhat.com>
Date: Tue, 6 Jul 2021 13:07:30 -0400
Subject: [PATCH] install: restrict access permissions on
/boot/ignition{,/config.ign}
The Ignition config may contain secrets. Don't expose it, or anything in
its parent directory, to unprivileged processes.
https://github.com/coreos/fedora-coreos-tracker/issues/889
---
src/install.rs | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/src/install.rs b/src/install.rs
index 20d1f41..3640723 100644
--- a/src/install.rs
+++ b/src/install.rs
@@ -16,9 +16,11 @@ use anyhow::{bail, Context, Result};
use lazy_static::lazy_static;
use nix::mount;
use regex::Regex;
-use std::fs::{copy as fscopy, create_dir_all, read_dir, File, OpenOptions};
+use std::fs::{
+ copy as fscopy, create_dir_all, read_dir, set_permissions, File, OpenOptions, Permissions,
+};
use std::io::{copy, Read, Seek, SeekFrom, Write};
-use std::os::unix::fs::FileTypeExt;
+use std::os::unix::fs::{FileTypeExt, PermissionsExt};
use std::path::{Path, PathBuf};
use crate::blockdev::*;
@@ -248,7 +250,21 @@ fn write_ignition(
// make parent directory
let mut config_dest = mountpoint.to_path_buf();
config_dest.push("ignition");
- create_dir_all(&config_dest).context("creating Ignition config directory")?;
+ if !config_dest.is_dir() {
+ create_dir_all(&config_dest).with_context(|| {
+ format!(
+ "creating Ignition config directory {}",
+ config_dest.display()
+ )
+ })?;
+ // Ignition data may contain secrets; restrict to root
+ set_permissions(&config_dest, Permissions::from_mode(0o700)).with_context(|| {
+ format!(
+ "setting file mode for Ignition directory {}",
+ config_dest.display()
+ )
+ })?;
+ }
// do the copy
config_dest.push("config.ign");
@@ -262,6 +278,13 @@ fn write_ignition(
config_dest.display()
)
})?;
+ // Ignition config may contain secrets; restrict to root
+ set_permissions(&config_dest, Permissions::from_mode(0o600)).with_context(|| {
+ format!(
+ "setting file mode for destination Ignition config {}",
+ config_dest.display()
+ )
+ })?;
copy(&mut config_in, &mut config_out).context("writing Ignition config")?;
Ok(())
--
2.31.1