From a7f3748d006d1b1057a791f2a7c790d3ec09cc09 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Mon, 22 Oct 2018 10:52:39 +0300 Subject: [PATCH 3/4] Fix nasty --setperms/--setugids regression in 4.14.2 (RhBug: 1640470) Commit 38c2f6e160d5ed3e9c3a266139c7eb2632724c15 causes --setperms and --setugids follow symlinks instead of skipping them. In case of --setperms, all encountered symlinks will have their target file/directory permissions set to the 0777 of the link itself (so world writable etc but suid/sgid stripped), temporarily or permanently, depending on whether the symlink occurs before or after it's target in the package file list. When the link occurs before its target, there's a short window where the target is world writable before having it's permissions reset to original, making it particularly bad for suid/sgid binaries. --setugids is similarly affected with link targets owner/group changing to that of the symlink. Add missing parentheses to the conditions introduced in commit 38c2f6e160d5ed3e9c3a266139c7eb2632724c15 to fix. Reported by Karel Srot, patch by Pavlina Moravcova Varekova. (cherry picked from commit 0d83637769b8a122b1e80f2e960ea1bbae8b4f10) --- rpmpopt.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff -urNp a/rpmpopt.in b/rpmpopt.in --- a/rpmpopt.in 2019-04-23 13:00:05.090000000 -0400 +++ b/rpmpopt.in 2019-04-23 13:05:33.326000000 -0400 @@ -44,14 +44,14 @@ rpm alias --scripts --qf '\ --POPTdesc=$"list install/erase scriptlets from package(s)" rpm alias --setperms -q --qf '[\[ -L %{FILENAMES:shescape} \] || \ - \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] || \ + ( \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] ) || \ chmod %7{FILEMODES:octal} %{FILENAMES:shescape}\n]' \ --pipe "grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' | sh" \ --POPTdesc=$"set permissions of files in a package" rpm alias --setugids -q --qf \ '[ch %{FILEUSERNAME:shescape} %{FILEGROUPNAME:shescape} %{FILENAMES:shescape} %{FILEFLAGS}\n]' \ - --pipe "(echo 'ch() { \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] || \ + --pipe "(echo 'ch() { ( \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] ) || \ (chown -h -- \"$1\" \"$3\";chgrp -h -- \"$2\" \"$3\";) }'; \ grep '^ch '|grep -v \(none\))|sh" \ --POPTdesc=$"set user/group ownership of files in a package"