packages/security-tool
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!30 do not create allow file while the command does not exist

Browse Source 
From: @angela7
Reviewed-by: @gys66,@zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-03-21 16:45:36 +08:00 committed by Gitee
commit 49b6a7ad5c
2 changed files with 105 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
do-not-create-allow-file-while-the-command-does-not-.patch Normal file
View File

@ -0,0 +1,99 @@
From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 18 Mar 2021 10:51:25 +0800
Subject: [PATCH] do not create allow file while the command does not exist
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++
security.conf | 12 +++---------
2 files changed, 40 insertions(+), 9 deletions(-)
diff --git a/security-tool.sh b/security-tool.sh
index c6bc4e7..e8619f5 100644
--- a/security-tool.sh
+++ b/security-tool.sh
@@ -675,6 +675,35 @@ function fn_handle_ln()
return $?
}
+#=============================================================================
+# Function Name: fn_handle_allow
+# Returns : 0 on success, otherwise on fail
+#=============================================================================
+function fn_handle_allow()
+{
+ fn_test_params_num 2
+
+ local rpmname=$1
+ local prename=$2
+ local ret=0
+
+ rpm -q "$rpmname"
+ if [ $? -eq 0 ]; then
+ local denyfile="$ROOTFS/etc/$prename.deny"
+ local allowfile="$ROOTFS/etc/$prename.allow"
+ rm -rf "$denyfile"
+ touch "$allowfile"
+ chown root:root "$allowfile"
+ chmod og-rwx "$allowfile"
+
+ else
+ ret=1
+ fn_error "package $rpmname does not exist"
+ fi
+
+ return $ret
+}
+
#=============================================================================
# Function Name: fn_harden_rootfs
@@ -759,6 +788,10 @@ function fn_harden_rootfs()
fn_handle_ln "$f3" "$f4" "$f5"
status=$?
;;
+ allow)
+ fn_handle_allow "$f3" "$f4"
+ status=$?
+ ;;
*)
fn_handle_command "$f2" "$f3"
status=$?
@@ -861,6 +894,10 @@ IFS=$PRE_IFS
fn_handle_ln "$f3" "$f4" "$f5"
status=$?
;;
+ allow)
+ fn_handle_allow "$f3" "$f4"
+ status=$?
+ ;;
*)
fn_handle_command "$f2" "$f3"
status=$?
diff --git a/security.conf b/security.conf
index 30b9f54..72bb91e 100644
--- a/security.conf
+++ b/security.conf
@@ -140,15 +140,9 @@
213@chown root:root @/etc/cron.monthly
213@chmod og-rwx @/etc/cron.monthly
-214@rm -f @/etc/at.deny
-214@touch @/etc/at.allow
-214@chown root:root @/etc/at.allow
-214@chmod og-rwx @/etc/at.allow
-
-215@rm -f @/etc/cron.deny
-215@touch @/etc/cron.allow
-215@chown root:root @/etc/cron.allow
-215@chmod og-rwx @/etc/cron.allow
+# limit command permissions
+214@allow@at@at
+215@allow@cronie@cron
#rpm initscripts drop /etc/sysconfig/init defaultly
216@touch @/etc/sysconfig/init
--
1.8.3.1

8
security-tool.spec
View File

@ -1,7 +1,7 @@
Summary: openEuler Security Tool
Name : security-tool
Version: 2.0
Release: 1.50
Release: 1.51
Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
License: Mulan PSL v2
URL: https://gitee.com/openeuler/security-tool
@ -13,7 +13,8 @@ Requires(preun): systemd-units
Requires(postun): systemd-units
BuildRequires: xauth
Patch: Use-secure-MACs-and-KexAlgorithms.patch
Patch0: Use-secure-MACs-and-KexAlgorithms.patch
Patch1: do-not-create-allow-file-while-the-command-does-not-.patch
%description
openEuler Security Tool
@ -118,6 +119,9 @@ fi
%attr(0500,root,root) %{_sbindir}/security-tool.sh
%changelog
* Thu Mar 18 2021 openEuler Buildteam <buildteam@openEuler.org> - 2.0-1.51
- do not create allow file while the command does not exist
* Fri Oct 9 2020 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.50
- Use secure MACs and KexAlgorithms