|
| 1 | +From 4c593d659aff212cdcf9d3ca40cd24a8277f6638 Mon Sep 17 00:00:00 2001 |
| 2 | +From: jykanase <v-jykanase@microsoft.com> |
| 3 | +Date: Fri, 16 May 2025 06:48:14 +0000 |
| 4 | +Subject: [PATCH] CVE-2024-2905 |
| 5 | +https://github.com/coreos/rpm-ostree/pull/4911 |
| 6 | +--- |
| 7 | + Makefile-daemon.am | 1 + |
| 8 | + packaging/rpm-ostree.spec.in | 5 +++++ |
| 9 | + rust/src/passwd.rs | 14 ++++++++++++++ |
| 10 | + src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++ |
| 11 | + tests/compose/libbasic-test.sh | 5 +++++ |
| 12 | + 5 files changed, 44 insertions(+) |
| 13 | + create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service |
| 14 | + |
| 15 | +diff --git a/Makefile-daemon.am b/Makefile-daemon.am |
| 16 | +index 4233d90..f96f49a 100644 |
| 17 | +--- a/Makefile-daemon.am |
| 18 | ++++ b/Makefile-daemon.am |
| 19 | +@@ -60,6 +60,7 @@ systemdunit_service_file_names = \ |
| 20 | + rpm-ostreed-automatic.service \ |
| 21 | + rpm-ostree-bootstatus.service \ |
| 22 | + rpm-ostree-countme.service \ |
| 23 | ++ rpm-ostree-fix-shadow-mode.service \ |
| 24 | + $(NULL) |
| 25 | + |
| 26 | + systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names)) |
| 27 | +diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in |
| 28 | +index 8aa9afa..f734f67 100644 |
| 29 | +--- a/packaging/rpm-ostree.spec.in |
| 30 | ++++ b/packaging/rpm-ostree.spec.in |
| 31 | +@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \ |
| 32 | + # Setup rpm-ostree-countme.timer according to presets |
| 33 | + %post |
| 34 | + %systemd_post rpm-ostree-countme.timer |
| 35 | ++# Only enable on rpm-ostree based systems and manually force unit enablement to |
| 36 | ++# explicitly ignore presets for this security fix |
| 37 | ++if [ -e /run/ostree-booted ]; then |
| 38 | ++ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/ |
| 39 | ++fi |
| 40 | + |
| 41 | + %preun |
| 42 | + %systemd_preun rpm-ostree-countme.timer |
| 43 | +diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs |
| 44 | +index 79ee488..8f0e584 100644 |
| 45 | +--- a/rust/src/passwd.rs |
| 46 | ++++ b/rust/src/passwd.rs |
| 47 | +@@ -421,6 +421,12 @@ fn write_data_from_treefile( |
| 48 | + let db = rootfs.open(target_passwd_path).map(BufReader::new)?; |
| 49 | + let shadow_name = target.shadow_file(); |
| 50 | + let target_shadow_path = format!("{}{}", dest_path, shadow_name); |
| 51 | ++ // Ideally these permissions come from `setup`, which is the package |
| 52 | ++ // that owns these files: |
| 53 | ++ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96 |
| 54 | ++ // But at this point of the compose, the rootfs is completely empty; we |
| 55 | ++ // haven't started unpacking things yet. So we need to hardcode it here. |
| 56 | ++ let shadow_perms = cap_std::fs::Permissions::from_mode(0); |
| 57 | + |
| 58 | + match target { |
| 59 | + PasswdKind::User => { |
| 60 | +@@ -430,6 +436,10 @@ fn write_data_from_treefile( |
| 61 | + for user in entries { |
| 62 | + writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?; |
| 63 | + } |
| 64 | ++ target_shadow |
| 65 | ++ .get_mut() |
| 66 | ++ .as_file_mut() |
| 67 | ++ .set_permissions(shadow_perms)?; |
| 68 | + Ok(()) |
| 69 | + }) |
| 70 | + .with_context(|| format!("Writing {target_shadow_path}"))?; |
| 71 | +@@ -441,6 +451,10 @@ fn write_data_from_treefile( |
| 72 | + for group in entries { |
| 73 | + writeln!(target_shadow, "{}:::", group.name)?; |
| 74 | + } |
| 75 | ++ target_shadow |
| 76 | ++ .get_mut() |
| 77 | ++ .as_file_mut() |
| 78 | ++ .set_permissions(shadow_perms)?; |
| 79 | + Ok(()) |
| 80 | + }) |
| 81 | + .with_context(|| format!("Writing {target_shadow_path}"))?; |
| 82 | +diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service |
| 83 | +new file mode 100644 |
| 84 | +index 0000000..4aea746 |
| 85 | +--- /dev/null |
| 86 | ++++ b/src/daemon/rpm-ostree-fix-shadow-mode.service |
| 87 | +@@ -0,0 +1,19 @@ |
| 88 | ++[Unit] |
| 89 | ++# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`. |
| 90 | ++# This makes sure to fix permissions on systems that were deployed with the wrong permissions. |
| 91 | ++Description=Update permissions for /etc/shadow |
| 92 | ++Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6 |
| 93 | ++ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp |
| 94 | ++ConditionPathExists=/run/ostree-booted |
| 95 | ++# Make sure this is started before any unprivileged (interactive) user has access to the system. |
| 96 | ++Before=systemd-user-sessions.service |
| 97 | ++ |
| 98 | ++[Service] |
| 99 | ++Type=oneshot |
| 100 | ++ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow |
| 101 | ++ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow- |
| 102 | ++ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp |
| 103 | ++RemainAfterExit=yes |
| 104 | ++ |
| 105 | ++[Install] |
| 106 | ++WantedBy=multi-user.target |
| 107 | +diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh |
| 108 | +index 0a75176..3f7c6d8 100644 |
| 109 | +--- a/tests/compose/libbasic-test.sh |
| 110 | ++++ b/tests/compose/libbasic-test.sh |
| 111 | +@@ -22,6 +22,11 @@ validate_passwd group |
| 112 | + ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt |
| 113 | + assert_file_has_content_literal passwd.txt '00644 ' |
| 114 | + |
| 115 | ++ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt |
| 116 | ++assert_file_has_content_literal shadow.txt '00000 ' |
| 117 | ++ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt |
| 118 | ++assert_file_has_content_literal gshadow.txt '00000 ' |
| 119 | ++ |
| 120 | + ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt |
| 121 | + assert_file_has_content_literal useradd.txt HOME=/var/home |
| 122 | + |
| 123 | +-- |
| 124 | +2.45.2 |
| 125 | + |
0 commit comments