From 40a1f71160843019a2eb6a1e7749832f71a67287 Mon Sep 17 00:00:00 2001 From: gaoyusong Date: Wed, 17 Mar 2021 11:06:01 +0800 Subject: [PATCH] do not create allow file while the command does not exist --- ...low-file-while-the-command-does-not-.patch | 96 +++++++++++++++++++ security-tool.spec | 8 +- 2 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 do-not-create-allow-file-while-the-command-does-not-.patch diff --git a/do-not-create-allow-file-while-the-command-does-not-.patch b/do-not-create-allow-file-while-the-command-does-not-.patch new file mode 100644 index 0000000..f6363ae --- /dev/null +++ b/do-not-create-allow-file-while-the-command-does-not-.patch @@ -0,0 +1,96 @@ +From 33a1b6f6006a6481de1b59ee3a8d5c0706830b71 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Thu, 4 Mar 2021 09:31:35 +0800 +Subject: [PATCH] do not create allow file while the command does not exist + +Signed-off-by: guoxiaoqi +--- + security-tool.sh | 35 +++++++++++++++++++++++++++++++++++ + security.conf | 12 +++--------- + 2 files changed, 38 insertions(+), 9 deletions(-) + +diff --git a/security-tool.sh b/security-tool.sh +index c6bc4e7..60e25f8 100644 +--- a/security-tool.sh ++++ b/security-tool.sh +@@ -675,6 +675,33 @@ function fn_handle_ln() + return $? + } + ++#============================================================================= ++# Function Name: fn_handle_allow ++# Returns : 0 on success, otherwise on fail ++#============================================================================= ++function fn_handle_allow() ++{ ++ fn_test_params_num 1 ++ ++ local rpmname=$1 ++ local ret=0 ++ ++ rpm -q "$rpmname" ++ if [ $? -eq 0 ]; then ++ local denyfile="$ROOTFS/etc/$rpmname.deny" ++ local allowfile="$ROOTFS/etc/$rpmname.allow" ++ rm -rf "$denyfile" ++ touch "$allowfile" ++ chown root:root "$allowfile" ++ chmod og-rwx "$allowfile" ++ ++ else ++ ret=1 ++ fn_error "package $rpmname does not exist" ++ fi ++ ++ return $ret ++} + + #============================================================================= + # Function Name: fn_harden_rootfs +@@ -759,6 +786,10 @@ function fn_harden_rootfs() + fn_handle_ln "$f3" "$f4" "$f5" + status=$? + ;; ++ allow) ++ fn_handle_allow "$f3" ++ status=$? ++ ;; + *) + fn_handle_command "$f2" "$f3" + status=$? +@@ -861,6 +892,10 @@ IFS=$PRE_IFS + fn_handle_ln "$f3" "$f4" "$f5" + status=$? + ;; ++ allow) ++ fn_handle_allow "$f3" ++ status=$? ++ ;; + *) + fn_handle_command "$f2" "$f3" + status=$? +diff --git a/security.conf b/security.conf +index 30b9f54..75b6ba3 100644 +--- a/security.conf ++++ b/security.conf +@@ -140,15 +140,9 @@ + 213@chown root:root @/etc/cron.monthly + 213@chmod og-rwx @/etc/cron.monthly + +-214@rm -f @/etc/at.deny +-214@touch @/etc/at.allow +-214@chown root:root @/etc/at.allow +-214@chmod og-rwx @/etc/at.allow +- +-215@rm -f @/etc/cron.deny +-215@touch @/etc/cron.allow +-215@chown root:root @/etc/cron.allow +-215@chmod og-rwx @/etc/cron.allow ++# limit command permissions ++214@allow@at ++215@allow@cron + + #rpm initscripts drop /etc/sysconfig/init defaultly + 216@touch @/etc/sysconfig/init +-- +1.8.3.1 \ No newline at end of file diff --git a/security-tool.spec b/security-tool.spec index e845522..94d6ad2 100644 --- a/security-tool.spec +++ b/security-tool.spec @@ -1,7 +1,7 @@ Summary: openEuler Security Tool Name : security-tool Version: 2.0 -Release: 1.51 +Release: 1.52 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz License: Mulan PSL v2 URL: https://gitee.com/openeuler/security-tool @@ -13,7 +13,8 @@ Requires(preun): systemd-units Requires(postun): systemd-units BuildRequires: xauth -Patch: Use-secure-MACs-and-KexAlgorithms.patch +Patch0: Use-secure-MACs-and-KexAlgorithms.patch +Patch1: do-not-create-allow-file-while-the-command-does-not-.patch %description openEuler Security Tool @@ -126,6 +127,9 @@ fi %attr(0500,root,root) %{_sbindir}/security-tool.sh %changelog +* Wed Mar 17 2021 gaoyusong - 2.0-1.52 +- do not create allow file while the command does not exist + * Sun Jan 31 2021 Jiachen Fan - 2.0-1.51 - to reset umask from 0077 to 0022 -- Gitee