app-admin/augeas/files/cve-bunch-of-them-symlink.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

From 051c73a9a7ffe9e525f6f0a1b8f5198ff8cc6752 Mon Sep 17 00:00:00 2001
From: Dominic Cleal <dcleal@redhat.com>
Date: Sat, 11 Aug 2012 20:39:14 +0100
Subject: [PATCH] Fix regression in permissions of created files

Commit 16387744 changed temporary file creation to use mkstemp, resulting in
new files being created with 0600 permissions.  For brand new files created
through Augeas, their permissions stayed at 0600 rather than being set by the
umask as before.

  * src/transform.c (transform_save): chmod after creating new files to
    permissions implied by the umask
---
 src/transform.c        | 10 ++++++++++
 tests/test-preserve.sh | 15 ++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/transform.c b/src/transform.c
index a3acd10..1ca3d5f 100644
--- a/src/transform.c
+++ b/src/transform.c
@@ -1096,6 +1096,16 @@ int transform_save(struct augeas *aug, struct tree *xfm,
             err_status = "xfer_attrs";
             goto done;
         }
+    } else {
+        /* Since mkstemp is used, the temp file will have secure permissions
+         * instead of those implied by umask, so change them for new files */
+        mode_t curumsk = umask(022);
+        umask(curumsk);
+
+        if (fchmod(fileno(fp), 0666 - curumsk) < 0) {
+            err_status = "create_chmod";
+            return -1;
+        }
     }
 
     if (tree != NULL)
diff --git a/tests/test-preserve.sh b/tests/test-preserve.sh
index 042dab9..9719ac6 100755
--- a/tests/test-preserve.sh
+++ b/tests/test-preserve.sh
@@ -59,9 +59,12 @@ if [ $selinux = yes -a xetc_t != "x$act_con" ] ; then
     exit 1
 fi
 
-# Check that we create new files without error
+# Check that we create new files without error and with permissions implied
+# from the umask
 init_dirs
 
+oldumask=$(umask)
+umask 0002
 $AUGTOOL > /dev/null <<EOF
 set /files/etc/hosts/1/ipaddr 127.0.0.1
 set /files/etc/hosts/1/canonical host.example.com
@@ -71,6 +74,16 @@ if [ $? != 0 ] ; then
     echo "augtool failed on new file"
     exit 1
 fi
+if [ ! -e $hosts ]; then
+    echo "augtool didn't create new /etc/hosts file"
+    exit 1
+fi
+act_mode=$(ls -l $hosts | cut -b 1-10)
+if [ x-rw-rw-r-- != "x$act_mode" ] ; then
+    echo "Expected mode 0664 due to $(umask) umask but got $act_mode"
+    exit 1
+fi
+umask $oldumask
 
 # Check that we create new files without error when backups are requested
 init_dirs
-- 
1.8.5.1