packages/security-tool
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

do not create allow file while the command does not exist

Browse Source
This commit is contained in:
gaoyusong 2021-03-17 11:22:54 +08:00
parent 0c7af179c9
commit cd39d821e0
2 changed files with 102 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
do-not-create-allow-file-while-the-command-does-not-.patch Normal file
View File

@ -0,0 +1,96 @@
From 33a1b6f6006a6481de1b59ee3a8d5c0706830b71 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 4 Mar 2021 09:31:35 +0800
Subject: [PATCH] do not create allow file while the command does not exist
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
security-tool.sh | 35 +++++++++++++++++++++++++++++++++++
security.conf | 12 +++---------
2 files changed, 38 insertions(+), 9 deletions(-)
diff --git a/security-tool.sh b/security-tool.sh
index c6bc4e7..60e25f8 100644
--- a/security-tool.sh
+++ b/security-tool.sh
@@ -675,6 +675,33 @@ function fn_handle_ln()
return $?
}
+#=============================================================================
+# Function Name: fn_handle_allow
+# Returns : 0 on success, otherwise on fail
+#=============================================================================
+function fn_handle_allow()
+{
+ fn_test_params_num 1
+
+ local rpmname=$1
+ local ret=0
+
+ rpm -q "$rpmname"
+ if [ $? -eq 0 ]; then
+ local denyfile="$ROOTFS/etc/$rpmname.deny"
+ local allowfile="$ROOTFS/etc/$rpmname.allow"
+ rm -rf "$denyfile"
+ touch "$allowfile"
+ chown root:root "$allowfile"
+ chmod og-rwx "$allowfile"
+
+ else
+ ret=1
+ fn_error "package $rpmname does not exist"
+ fi
+
+ return $ret
+}
#=============================================================================
# Function Name: fn_harden_rootfs
@@ -759,6 +786,10 @@ function fn_harden_rootfs()
fn_handle_ln "$f3" "$f4" "$f5"
status=$?
;;
+ allow)
+ fn_handle_allow "$f3"
+ status=$?
+ ;;
*)
fn_handle_command "$f2" "$f3"
status=$?
@@ -861,6 +892,10 @@ IFS=$PRE_IFS
fn_handle_ln "$f3" "$f4" "$f5"
status=$?
;;
+ allow)
+ fn_handle_allow "$f3"
+ status=$?
+ ;;
*)
fn_handle_command "$f2" "$f3"
status=$?
diff --git a/security.conf b/security.conf
index 30b9f54..75b6ba3 100644
--- a/security.conf
+++ b/security.conf
@@ -140,15 +140,9 @@
213@chown root:root @/etc/cron.monthly
213@chmod og-rwx @/etc/cron.monthly
-214@rm -f @/etc/at.deny
-214@touch @/etc/at.allow
-214@chown root:root @/etc/at.allow
-214@chmod og-rwx @/etc/at.allow
-
-215@rm -f @/etc/cron.deny
-215@touch @/etc/cron.allow
-215@chown root:root @/etc/cron.allow
-215@chmod og-rwx @/etc/cron.allow
+# limit command permissions
+214@allow@at
+215@allow@cron
#rpm initscripts drop /etc/sysconfig/init defaultly
216@touch @/etc/sysconfig/init
--
1.8.3.1

8
security-tool.spec
View File

@ -1,7 +1,7 @@
Summary: openEuler Security Tool
Name : security-tool
Version: 2.0
Release: 1.72
Release: 1.73
Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
License: Mulan PSL v2
URL: https://gitee.com/openeuler/security-tool
@ -13,7 +13,8 @@ Requires(preun): systemd-units
Requires(postun): systemd-units
BuildRequires: xauth
Patch: Use-secure-MACs-and-KexAlgorithms.patch
Patch0: Use-secure-MACs-and-KexAlgorithms.patch
Patch1: do-not-create-allow-file-while-the-command-does-not-.patch
%description
openEuler Security Tool
@ -118,6 +119,9 @@ fi
%attr(0500,root,root) %{_sbindir}/security-tool.sh
%changelog
* Wed Mar 17 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.73
- do not create allow file while the command does not exist
* Wed Feb zhujianwei <zhujianwei7@huawei.com> - 2.0-1.72
- rebuild