Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 603732 Details for
Bug 772257
CVE-2012-0786 augeas: susceptible to symlink attack
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Followup file creation permissions fix (051c73a9)
051c73a9_creation_umask.patch (text/plain), 2.21 KB, created by
Dominic Cleal
on 2012-08-11 22:45:01 UTC
(
hide
)
Description:
Followup file creation permissions fix (051c73a9)
Filename:
MIME Type:
Creator:
Dominic Cleal
Created:
2012-08-11 22:45:01 UTC
Size:
2.21 KB
patch
obsolete
>commit 051c73a9a7ffe9e525f6f0a1b8f5198ff8cc6752 >Author: Dominic Cleal <dcleal@redhat.com> >Date: Sat Aug 11 20:39:14 2012 +0100 > > Fix regression in permissions of created files > > Commit 16387744 changed temporary file creation to use mkstemp, resulting in > new files being created with 0600 permissions. For brand new files created > through Augeas, their permissions stayed at 0600 rather than being set by the > umask as before. > > * src/transform.c (transform_save): chmod after creating new files to > permissions implied by the umask > >diff --git a/src/transform.c b/src/transform.c >index a3acd10..1ca3d5f 100644 >--- a/src/transform.c >+++ b/src/transform.c >@@ -1096,6 +1096,16 @@ int transform_save(struct augeas *aug, struct tree *xfm, > err_status = "xfer_attrs"; > goto done; > } >+ } else { >+ /* Since mkstemp is used, the temp file will have secure permissions >+ * instead of those implied by umask, so change them for new files */ >+ mode_t curumsk = umask(022); >+ umask(curumsk); >+ >+ if (fchmod(fileno(fp), 0666 - curumsk) < 0) { >+ err_status = "create_chmod"; >+ return -1; >+ } > } > > if (tree != NULL) >diff --git a/tests/test-preserve.sh b/tests/test-preserve.sh >index 042dab9..9719ac6 100755 >--- a/tests/test-preserve.sh >+++ b/tests/test-preserve.sh >@@ -59,9 +59,12 @@ if [ $selinux = yes -a xetc_t != "x$act_con" ] ; then > exit 1 > fi > >-# Check that we create new files without error >+# Check that we create new files without error and with permissions implied >+# from the umask > init_dirs > >+oldumask=$(umask) >+umask 0002 > $AUGTOOL > /dev/null <<EOF > set /files/etc/hosts/1/ipaddr 127.0.0.1 > set /files/etc/hosts/1/canonical host.example.com >@@ -71,6 +74,16 @@ if [ $? != 0 ] ; then > echo "augtool failed on new file" > exit 1 > fi >+if [ ! -e $hosts ]; then >+ echo "augtool didn't create new /etc/hosts file" >+ exit 1 >+fi >+act_mode=$(ls -l $hosts | cut -b 1-10) >+if [ x-rw-rw-r-- != "x$act_mode" ] ; then >+ echo "Expected mode 0664 due to $(umask) umask but got $act_mode" >+ exit 1 >+fi >+umask $oldumask > > # Check that we create new files without error when backups are requested > init_dirs
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=603732">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 772257
:
551189
|
559801
|
562023
|
601046
| 603732