Hide Forgot
Description of problem: ipa.spec analysis uncovered several issues that we should either mark as false positives or fix: 1) % sign not properly escaped in a changelog: spec: - Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf rpm : - Add (noreplace) flag for \/etc/tmpfiles.d/ipa.conf We should replace "\%" with "%%" 2) /usr/libexec/ipa-otpd: daemon file compiled with only partial RELRO (should be full) 3) Unowned mid-level directory: /usr/share/ipa/ui/js 4) Missing man pages for %config files: - /etc/ipa/html/browserconfig.html - /etc/ipa/html/ffconfig.js - /etc/ipa/html/ffconfig_page.js - /etc/ipa/html/ipa_error.css - /etc/ipa/html/ssbrowser.html - /etc/ipa/html/unauthorized.html - /etc/sysconfig/ipa_memcached - /etc/tmpfiles.d/ipa.conf We should either mark as false positive or remove %config (or write the man page)
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4010
1) is correct finding, needs a fix. 2) needs a fix but I'd prefer it to be a separate ticket since it is independent of the others. 3) needs fixing. 4) We use %config to allow generated files to persist over consequent upgrades of the packages. These are not really configs but rather something that is generated with ipa-server-install or could be slightly tuned by admins with their own graphical design. RPM doesn't have better means to express these needs so I think we should makr them as false positive.
Thanks for assessment. I think we should fix all these issues together as they come from the same source. Separate ticket is a possibility though it seems as too much bureaucracy in this case - we just need to add a relro flag (AFAIU).
Fixed upstream: master: db3e4507329a02e5eba85f8f3eb29361eabf5d57 Own /usr/share/ipa/ui/js/ in the spec file. 652c4e6ace7c4eae6ffb12093487c2d8180806f5 Use hardening flags for ipa-optd. ipa-3-3: ca4e976318a2bf4fb152df8b97c3c4fc9798475c Own /usr/share/ipa/ui/js/ in the spec file. 73ada2baad2db3143285a254f638a091eb2001c8 Use hardening flags for ipa-optd.
What can i check to be able to verify these changes?
To check for the directory, install ipa-server then run: $ rpm -q --whatprovides /usr/share/ipa/ui/js It should be owned by ipa-server. To check for a hardened build: # yum install hardening-check # hardening-check /usr/libexec/ipa-otpd The Read-only relocations and Immediate binding should be yes. /usr/libexec/ipa-otpd: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes
Or if hardening-check isn't available (and it looks like it isn't) check with: $ objdump -x /usr/libexec/ipa-otpd | grep RELRO RELRO off 0x0000000000005a50 vaddr 0x0000000000205a50 paddr 0x0000000000205a50 align 2**0 $ readelf -d /usr/libexec/ipa-otpd | grep BIND 0x0000000000000018 (BIND_NOW) The fix here was for immediate binding (the readelf command). If you get no output for either of these then the build is not hardened.
Verified using steps above: owned by ipa-server: # rpm -q --whatprovides /usr/share/ipa/ui/js ipa-server-3.3.3-15.el7.x86_64 build is hardened: # objdump -x /usr/libexec/ipa-otpd | grep RELRO RELRO off 0x0000000000005ac8 vaddr 0x0000000000205ac8 paddr 0x0000000000205ac8 align 2**0 # readelf -d /usr/libexec/ipa-otpd | grep BIND 0x0000000000000018 (BIND_NOW)
I saw that RHEL7 hardening-check is being built in koji: # rpm -q ipa-server ipa-server-3.3.3-14.el7.x86_64 # yum install http://kojipkgs.fedoraproject.org//packages/hardening-check/2.4/1.el7/noarch/hardening-check-2.4-1.el7.noarch.rpm ... Installed: hardening-check.noarch 0:2.4-1.el7 Complete! # hardening-check /usr/libexec/ipa-otpd /usr/libexec/ipa-otpd: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.