diff --git a/do-not-create-allow-file-while-the-command-does-not-.patch b/do-not-create-allow-file-while-the-command-does-not-.patch index f6363ae633929d7c0c33621f3ffc984e1a0cb96b..e66f55f1d6cd8b38a53c3d308049a3eb659471fd 100644 --- a/do-not-create-allow-file-while-the-command-does-not-.patch +++ b/do-not-create-allow-file-while-the-command-does-not-.patch @@ -1,96 +1,99 @@ -From 33a1b6f6006a6481de1b59ee3a8d5c0706830b71 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 4 Mar 2021 09:31:35 +0800 -Subject: [PATCH] do not create allow file while the command does not exist - -Signed-off-by: guoxiaoqi ---- - security-tool.sh | 35 +++++++++++++++++++++++++++++++++++ - security.conf | 12 +++--------- - 2 files changed, 38 insertions(+), 9 deletions(-) - -diff --git a/security-tool.sh b/security-tool.sh -index c6bc4e7..60e25f8 100644 ---- a/security-tool.sh -+++ b/security-tool.sh -@@ -675,6 +675,33 @@ function fn_handle_ln() - return $? - } - -+#============================================================================= -+# Function Name: fn_handle_allow -+# Returns : 0 on success, otherwise on fail -+#============================================================================= -+function fn_handle_allow() -+{ -+ fn_test_params_num 1 -+ -+ local rpmname=$1 -+ local ret=0 -+ -+ rpm -q "$rpmname" -+ if [ $? -eq 0 ]; then -+ local denyfile="$ROOTFS/etc/$rpmname.deny" -+ local allowfile="$ROOTFS/etc/$rpmname.allow" -+ rm -rf "$denyfile" -+ touch "$allowfile" -+ chown root:root "$allowfile" -+ chmod og-rwx "$allowfile" -+ -+ else -+ ret=1 -+ fn_error "package $rpmname does not exist" -+ fi -+ -+ return $ret -+} - - #============================================================================= - # Function Name: fn_harden_rootfs -@@ -759,6 +786,10 @@ function fn_harden_rootfs() - fn_handle_ln "$f3" "$f4" "$f5" - status=$? - ;; -+ allow) -+ fn_handle_allow "$f3" -+ status=$? -+ ;; - *) - fn_handle_command "$f2" "$f3" - status=$? -@@ -861,6 +892,10 @@ IFS=$PRE_IFS - fn_handle_ln "$f3" "$f4" "$f5" - status=$? - ;; -+ allow) -+ fn_handle_allow "$f3" -+ status=$? -+ ;; - *) - fn_handle_command "$f2" "$f3" - status=$? -diff --git a/security.conf b/security.conf -index 30b9f54..75b6ba3 100644 ---- a/security.conf -+++ b/security.conf -@@ -140,15 +140,9 @@ - 213@chown root:root @/etc/cron.monthly - 213@chmod og-rwx @/etc/cron.monthly - --214@rm -f @/etc/at.deny --214@touch @/etc/at.allow --214@chown root:root @/etc/at.allow --214@chmod og-rwx @/etc/at.allow -- --215@rm -f @/etc/cron.deny --215@touch @/etc/cron.allow --215@chown root:root @/etc/cron.allow --215@chmod og-rwx @/etc/cron.allow -+# limit command permissions -+214@allow@at -+215@allow@cron - - #rpm initscripts drop /etc/sysconfig/init defaultly - 216@touch @/etc/sysconfig/init --- -1.8.3.1 \ No newline at end of file +From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Thu, 18 Mar 2021 10:51:25 +0800 +Subject: [PATCH] do not create allow file while the command does not exist + +Signed-off-by: guoxiaoqi +--- + security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++ + security.conf | 12 +++--------- + 2 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/security-tool.sh b/security-tool.sh +index c6bc4e7..e8619f5 100644 +--- a/security-tool.sh ++++ b/security-tool.sh +@@ -675,6 +675,35 @@ function fn_handle_ln() + return $? + } + ++#============================================================================= ++# Function Name: fn_handle_allow ++# Returns : 0 on success, otherwise on fail ++#============================================================================= ++function fn_handle_allow() ++{ ++ fn_test_params_num 2 ++ ++ local rpmname=$1 ++ local prename=$2 ++ local ret=0 ++ ++ rpm -q "$rpmname" ++ if [ $? -eq 0 ]; then ++ local denyfile="$ROOTFS/etc/$prename.deny" ++ local allowfile="$ROOTFS/etc/$prename.allow" ++ rm -rf "$denyfile" ++ touch "$allowfile" ++ chown root:root "$allowfile" ++ chmod og-rwx "$allowfile" ++ ++ else ++ ret=1 ++ fn_error "package $rpmname does not exist" ++ fi ++ ++ return $ret ++} ++ + + #============================================================================= + # Function Name: fn_harden_rootfs +@@ -759,6 +788,10 @@ function fn_harden_rootfs() + fn_handle_ln "$f3" "$f4" "$f5" + status=$? + ;; ++ allow) ++ fn_handle_allow "$f3" "$f4" ++ status=$? ++ ;; + *) + fn_handle_command "$f2" "$f3" + status=$? +@@ -861,6 +894,10 @@ IFS=$PRE_IFS + fn_handle_ln "$f3" "$f4" "$f5" + status=$? + ;; ++ allow) ++ fn_handle_allow "$f3" "$f4" ++ status=$? ++ ;; + *) + fn_handle_command "$f2" "$f3" + status=$? +diff --git a/security.conf b/security.conf +index 30b9f54..72bb91e 100644 +--- a/security.conf ++++ b/security.conf +@@ -140,15 +140,9 @@ + 213@chown root:root @/etc/cron.monthly + 213@chmod og-rwx @/etc/cron.monthly + +-214@rm -f @/etc/at.deny +-214@touch @/etc/at.allow +-214@chown root:root @/etc/at.allow +-214@chmod og-rwx @/etc/at.allow +- +-215@rm -f @/etc/cron.deny +-215@touch @/etc/cron.allow +-215@chown root:root @/etc/cron.allow +-215@chmod og-rwx @/etc/cron.allow ++# limit command permissions ++214@allow@at@at ++215@allow@cronie@cron + + #rpm initscripts drop /etc/sysconfig/init defaultly + 216@touch @/etc/sysconfig/init +-- +1.8.3.1 + diff --git a/security-tool.spec b/security-tool.spec index 94d6ad2a21716228ade452b13867816530788059..0cf39f833769ff936ace794e004dbcfba9ff40d7 100644 --- a/security-tool.spec +++ b/security-tool.spec @@ -1,7 +1,7 @@ Summary: openEuler Security Tool Name : security-tool Version: 2.0 -Release: 1.52 +Release: 1.53 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz License: Mulan PSL v2 URL: https://gitee.com/openeuler/security-tool @@ -127,6 +127,9 @@ fi %attr(0500,root,root) %{_sbindir}/security-tool.sh %changelog +* Thu May 27 2021 gaoyusong - 2.0-1.53 +- rewrite patch: do not create allow file while the command does not exist + * Wed Mar 17 2021 gaoyusong - 2.0-1.52 - do not create allow file while the command does not exist