From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 18 Jan 2023 14:00:22 -0500 Subject: [PATCH] Use normal file permissions instead of ACLs Fixes a symlink attack that can't be mitigated using getfacl/setfacl. pesign-authorize is now deprecated and will be removed in a future release. Resolves: CVE-2022-3560 Signed-off-by: Robbie Harwood --- src/pesign-authorize.in | 50 +++---------------------------------------------- 1 file changed, 3 insertions(+), 47 deletions(-) diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in index 69797d5..b4e89e0 100644 --- a/src/pesign-authorize.in +++ b/src/pesign-authorize.in @@ -2,56 +2,12 @@ set -e set -u -# -# With /run/pesign/socket on tmpfs, a simple way of restoring the -# acls for specific users is useful -# -# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 -# - # License: GPLv2 -declare -a fileusers=() -declare -a dirusers=() -while read -r user ; do - dirusers[${#dirusers[@]}]=-m - dirusers[${#dirusers[@]}]="u:$user:rwx" - fileusers[${#fileusers[@]}]=-m - fileusers[${#fileusers[@]}]="u:$user:rw" -done