packages/security-tool
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 rewrite patch: do not create allow file while the command does not exist

Browse Source 
From: @gys66
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-06-01 10:20:20 +08:00 committed by Gitee
commit 45ecea6374
2 changed files with 103 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

195
do-not-create-allow-file-while-the-command-does-not-.patch
View File

@ -1,96 +1,99 @@
From 33a1b6f6006a6481de1b59ee3a8d5c0706830b71 Mon Sep 17 00:00:00 2001 From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com> From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 4 Mar 2021 09:31:35 +0800 Date: Thu, 18 Mar 2021 10:51:25 +0800
Subject: [PATCH] do not create allow file while the command does not exist Subject: [PATCH] do not create allow file while the command does not exist
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com> Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
--- ---
security-tool.sh | 35 +++++++++++++++++++++++++++++++++++ security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++
security.conf | 12 +++--------- security.conf | 12 +++---------
2 files changed, 38 insertions(+), 9 deletions(-) 2 files changed, 40 insertions(+), 9 deletions(-)
diff --git a/security-tool.sh b/security-tool.sh diff --git a/security-tool.sh b/security-tool.sh
index c6bc4e7..60e25f8 100644 index c6bc4e7..e8619f5 100644
--- a/security-tool.sh --- a/security-tool.sh
+++ b/security-tool.sh +++ b/security-tool.sh
@@ -675,6 +675,33 @@ function fn_handle_ln() @@ -675,6 +675,35 @@ function fn_handle_ln()
return $? return $?
} }
+#============================================================================= +#=============================================================================
+# Function Name: fn_handle_allow +# Function Name: fn_handle_allow
+# Returns : 0 on success, otherwise on fail +# Returns : 0 on success, otherwise on fail
+#============================================================================= +#=============================================================================
+function fn_handle_allow() +function fn_handle_allow()
+{ +{
+ fn_test_params_num 1 + fn_test_params_num 2
+ +
+ local rpmname=$1 + local rpmname=$1
+ local ret=0 + local prename=$2
+ + local ret=0
+ rpm -q "$rpmname" +
+ if [ $? -eq 0 ]; then + rpm -q "$rpmname"
+ local denyfile="$ROOTFS/etc/$rpmname.deny" + if [ $? -eq 0 ]; then
+ local allowfile="$ROOTFS/etc/$rpmname.allow" + local denyfile="$ROOTFS/etc/$prename.deny"
+ rm -rf "$denyfile" + local allowfile="$ROOTFS/etc/$prename.allow"
+ touch "$allowfile" + rm -rf "$denyfile"
+ chown root:root "$allowfile" + touch "$allowfile"
+ chmod og-rwx "$allowfile" + chown root:root "$allowfile"
+ + chmod og-rwx "$allowfile"
+ else +
+ ret=1 + else
+ fn_error "package $rpmname does not exist" + ret=1
+ fi + fn_error "package $rpmname does not exist"
+ + fi
+ return $ret +
+} + return $ret
+}
#============================================================================= +
# Function Name: fn_harden_rootfs
@@ -759,6 +786,10 @@ function fn_harden_rootfs() #=============================================================================
fn_handle_ln "$f3" "$f4" "$f5" # Function Name: fn_harden_rootfs
status=$? @@ -759,6 +788,10 @@ function fn_harden_rootfs()
;; fn_handle_ln "$f3" "$f4" "$f5"
+ allow) status=$?
+ fn_handle_allow "$f3" ;;
+ status=$? + allow)
+ ;; + fn_handle_allow "$f3" "$f4"
*) + status=$?
fn_handle_command "$f2" "$f3" + ;;
status=$? *)
@@ -861,6 +892,10 @@ IFS=$PRE_IFS fn_handle_command "$f2" "$f3"
fn_handle_ln "$f3" "$f4" "$f5" status=$?
status=$? @@ -861,6 +894,10 @@ IFS=$PRE_IFS
;; fn_handle_ln "$f3" "$f4" "$f5"
+ allow) status=$?
+ fn_handle_allow "$f3" ;;
+ status=$? + allow)
+ ;; + fn_handle_allow "$f3" "$f4"
*) + status=$?
fn_handle_command "$f2" "$f3" + ;;
status=$? *)
diff --git a/security.conf b/security.conf fn_handle_command "$f2" "$f3"
index 30b9f54..75b6ba3 100644 status=$?
--- a/security.conf diff --git a/security.conf b/security.conf
+++ b/security.conf index 30b9f54..72bb91e 100644
@@ -140,15 +140,9 @@ --- a/security.conf
213@chown root:root @/etc/cron.monthly +++ b/security.conf
213@chmod og-rwx @/etc/cron.monthly @@ -140,15 +140,9 @@
213@chown root:root @/etc/cron.monthly
-214@rm -f @/etc/at.deny 213@chmod og-rwx @/etc/cron.monthly
-214@touch @/etc/at.allow
-214@chown root:root @/etc/at.allow -214@rm -f @/etc/at.deny
-214@chmod og-rwx @/etc/at.allow -214@touch @/etc/at.allow
- -214@chown root:root @/etc/at.allow
-215@rm -f @/etc/cron.deny -214@chmod og-rwx @/etc/at.allow
-215@touch @/etc/cron.allow -
-215@chown root:root @/etc/cron.allow -215@rm -f @/etc/cron.deny
-215@chmod og-rwx @/etc/cron.allow -215@touch @/etc/cron.allow
+# limit command permissions -215@chown root:root @/etc/cron.allow
+214@allow@at -215@chmod og-rwx @/etc/cron.allow
+215@allow@cron +# limit command permissions
+214@allow@at@at
#rpm initscripts drop /etc/sysconfig/init defaultly +215@allow@cronie@cron
216@touch @/etc/sysconfig/init
-- #rpm initscripts drop /etc/sysconfig/init defaultly
1.8.3.1 216@touch @/etc/sysconfig/init
--
1.8.3.1

5
security-tool.spec
View File

@ -1,7 +1,7 @@
Summary: openEuler Security Tool Summary: openEuler Security Tool
Name : security-tool Name : security-tool
Version: 2.0 Version: 2.0
Release: 1.73 Release: 1.74
Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
License: Mulan PSL v2 License: Mulan PSL v2
URL: https://gitee.com/openeuler/security-tool URL: https://gitee.com/openeuler/security-tool
@ -119,6 +119,9 @@ fi
%attr(0500,root,root) %{_sbindir}/security-tool.sh %attr(0500,root,root) %{_sbindir}/security-tool.sh
%changelog %changelog
* Thu May 27 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.74
- rewrite patch: do not create allow file while the command does not exist
* Wed Mar 17 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.73 * Wed Mar 17 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.73
- do not create allow file while the command does not exist - do not create allow file while the command does not exist