From 4b67d431ff16a107edcddb81b7460d2e1dc1c009 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Thu, 4 Mar 2021 09:37:49 +0800 Subject: [PATCH] do not create allow file while the command does not exist --- ...low-file-while-the-command-does-not-.patch | 99 +++++++++++++++++++ security-tool.spec | 8 +- 2 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 do-not-create-allow-file-while-the-command-does-not-.patch diff --git a/do-not-create-allow-file-while-the-command-does-not-.patch b/do-not-create-allow-file-while-the-command-does-not-.patch new file mode 100644 index 0000000..e66f55f --- /dev/null +++ b/do-not-create-allow-file-while-the-command-does-not-.patch @@ -0,0 +1,99 @@ +From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Thu, 18 Mar 2021 10:51:25 +0800 +Subject: [PATCH] do not create allow file while the command does not exist + +Signed-off-by: guoxiaoqi +--- + security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++ + security.conf | 12 +++--------- + 2 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/security-tool.sh b/security-tool.sh +index c6bc4e7..e8619f5 100644 +--- a/security-tool.sh ++++ b/security-tool.sh +@@ -675,6 +675,35 @@ function fn_handle_ln() + return $? + } + ++#============================================================================= ++# Function Name: fn_handle_allow ++# Returns : 0 on success, otherwise on fail ++#============================================================================= ++function fn_handle_allow() ++{ ++ fn_test_params_num 2 ++ ++ local rpmname=$1 ++ local prename=$2 ++ local ret=0 ++ ++ rpm -q "$rpmname" ++ if [ $? -eq 0 ]; then ++ local denyfile="$ROOTFS/etc/$prename.deny" ++ local allowfile="$ROOTFS/etc/$prename.allow" ++ rm -rf "$denyfile" ++ touch "$allowfile" ++ chown root:root "$allowfile" ++ chmod og-rwx "$allowfile" ++ ++ else ++ ret=1 ++ fn_error "package $rpmname does not exist" ++ fi ++ ++ return $ret ++} ++ + + #============================================================================= + # Function Name: fn_harden_rootfs +@@ -759,6 +788,10 @@ function fn_harden_rootfs() + fn_handle_ln "$f3" "$f4" "$f5" + status=$? + ;; ++ allow) ++ fn_handle_allow "$f3" "$f4" ++ status=$? ++ ;; + *) + fn_handle_command "$f2" "$f3" + status=$? +@@ -861,6 +894,10 @@ IFS=$PRE_IFS + fn_handle_ln "$f3" "$f4" "$f5" + status=$? + ;; ++ allow) ++ fn_handle_allow "$f3" "$f4" ++ status=$? ++ ;; + *) + fn_handle_command "$f2" "$f3" + status=$? +diff --git a/security.conf b/security.conf +index 30b9f54..72bb91e 100644 +--- a/security.conf ++++ b/security.conf +@@ -140,15 +140,9 @@ + 213@chown root:root @/etc/cron.monthly + 213@chmod og-rwx @/etc/cron.monthly + +-214@rm -f @/etc/at.deny +-214@touch @/etc/at.allow +-214@chown root:root @/etc/at.allow +-214@chmod og-rwx @/etc/at.allow +- +-215@rm -f @/etc/cron.deny +-215@touch @/etc/cron.allow +-215@chown root:root @/etc/cron.allow +-215@chmod og-rwx @/etc/cron.allow ++# limit command permissions ++214@allow@at@at ++215@allow@cronie@cron + + #rpm initscripts drop /etc/sysconfig/init defaultly + 216@touch @/etc/sysconfig/init +-- +1.8.3.1 + diff --git a/security-tool.spec b/security-tool.spec index e5798a6..d7cf02f 100644 --- a/security-tool.spec +++ b/security-tool.spec @@ -1,7 +1,7 @@ Summary: openEuler Security Tool Name : security-tool Version: 2.0 -Release: 1.50 +Release: 1.51 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz License: Mulan PSL v2 URL: https://gitee.com/openeuler/security-tool @@ -13,7 +13,8 @@ Requires(preun): systemd-units Requires(postun): systemd-units BuildRequires: xauth -Patch: Use-secure-MACs-and-KexAlgorithms.patch +Patch0: Use-secure-MACs-and-KexAlgorithms.patch +Patch1: do-not-create-allow-file-while-the-command-does-not-.patch %description openEuler Security Tool @@ -118,6 +119,9 @@ fi %attr(0500,root,root) %{_sbindir}/security-tool.sh %changelog +* Thu Mar 18 2021 openEuler Buildteam - 2.0-1.51 +- do not create allow file while the command does not exist + * Fri Oct 9 2020 gaoyusong - 2.0-1.50 - Use secure MACs and KexAlgorithms