diff options
| author |   Francisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org> | 2019-09-07 22:38:38 +0200 |
|---|---|---|
| committer |   Matthew Thode <prometheanfire@gentoo.org> | 2019-09-07 16:24:11 -0500 |
| commit | 73598a5e25d6583dde4f08a34df5073817c5a391 (patch) | |
| tree | 7a1a91aef3385617e709c20b7bc0625769162231 /net-firewall/nftables | |
| parent | x11-misc/zim: x86 stable (bug #687176) (diff) | |
| download | gentoo-73598a5e25d6583dde4f08a34df5073817c5a391.tar.gz gentoo-73598a5e25d6583dde4f08a34df5073817c5a391.tar.bz2 gentoo-73598a5e25d6583dde4f08a34df5073817c5a391.zip | |
net-firewall/nftables: Fix permissions for rules.save
Due to a bug, the rules.save file was created with the wrong
permissions which allowed all users to read the file with the
system rules although root privileges are usually required to
do so.
To fix this issue, the following measures have been taken:
* The umask on nftables-mk.sh is now correctly set to 177
* nftables.sh now also sets the umask before saving the rules
* The ebuilds will warn on post installation if the rules.save
has insecure permissions
* The ebuilds have been bumped to ensure these changes are
applied
Bug: https://bugs.gentoo.org/691326
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Package-Manager: Portage-2.3.69, Repoman-2.3.11
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>
Diffstat (limited to 'net-firewall/nftables')
| -rw-r--r-- | net-firewall/nftables/files/libexec/nftables-mk.sh | 2 | ||||
| -rwxr-xr-x | net-firewall/nftables/files/libexec/nftables.sh | 1 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.0-r5.ebuild | 103 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.1-r1.ebuild (renamed from net-firewall/nftables/nftables-0.9.1.ebuild) | 10 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.2-r1.ebuild (renamed from net-firewall/nftables/nftables-0.9.2.ebuild) | 10 |
5 files changed, 121 insertions, 5 deletions
diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh index b3d7db60d7fe..27defe3c1c31 100644 --- a/net-firewall/nftables/files/libexec/nftables-mk.sh +++ b/net-firewall/nftables/files/libexec/nftables-mk.sh @@ -24,7 +24,7 @@ main() { ;; "store") local tmp_save="${NFTABLES_SAVE}.tmp" - umask 600; + umask 177 ( printf '#!/sbin/nft -f\nflush ruleset\n' nft ${SAVE_OPTIONS} list ruleset diff --git a/net-firewall/nftables/files/libexec/nftables.sh b/net-firewall/nftables/files/libexec/nftables.sh index cc55f8566000..557b454a9115 100755 --- a/net-firewall/nftables/files/libexec/nftables.sh +++ b/net-firewall/nftables/files/libexec/nftables.sh @@ -25,6 +25,7 @@ main() { retval=$? ;; "store") + umask 177 local tmp_save="${NFTABLES_SAVE}.tmp" if ! use_legacy; then nft ${SAVE_OPTIONS} list ruleset > ${tmp_save} diff --git a/net-firewall/nftables/nftables-0.9.0-r5.ebuild b/net-firewall/nftables/nftables-0.9.0-r5.ebuild new file mode 100644 index 000000000000..d98c11e37e4c --- /dev/null +++ b/net-firewall/nftables/nftables-0.9.0-r5.ebuild @@ -0,0 +1,103 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools linux-info systemd + +DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" +HOMEPAGE="https://netfilter.org/projects/nftables/" +SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~x86" +IUSE="debug doc +gmp json +modern_kernel +readline" + +RDEPEND=">=net-libs/libmnl-1.0.3:0= + gmp? ( dev-libs/gmp:0= ) + json? ( dev-libs/jansson ) + readline? ( sys-libs/readline:0= ) + >=net-libs/libnftnl-1.1.1:0=" + +DEPEND="${RDEPEND} + >=app-text/docbook2X-0.8.8-r4 + doc? ( >=app-text/dblatex-0.3.7 ) + sys-devel/bison + sys-devel/flex + virtual/pkgconfig" + +S="${WORKDIR}/v${PV}" + +pkg_setup() { + if kernel_is ge 3 13; then + if use modern_kernel && kernel_is lt 3 18; then + eerror "The modern_kernel USE flag requires kernel version 3.18 or newer to work properly." + fi + CONFIG_CHECK="~NF_TABLES" + linux-info_pkg_setup + else + eerror "This package requires kernel version 3.13 or newer to work properly." + fi +} + +src_prepare() { + default + eautoreconf +} + +src_configure() { + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin + $(use_enable debug) + $(use_enable doc pdf-doc) + $(use_with !gmp mini_gmp) + $(use_with json) + $(use_with readline cli) + ) + econf "${myeconfargs[@]}" +} + +src_install() { + default + + local mksuffix="" + use modern_kernel && mksuffix="-mk" + + exeinto /usr/libexec/${PN} + newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh + newconfd "${FILESDIR}"/${PN}${mksuffix}.confd ${PN} + newinitd "${FILESDIR}"/${PN}${mksuffix}.init ${PN} + keepdir /var/lib/nftables + + systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + + docinto /usr/share/doc/${PF}/skels + dodoc "${D}"/etc/nftables/* + rm -R "${D}"/etc/nftables +} + +pkg_postinst() { + local save_file + save_file="${EROOT%/}/var/lib/nftables/rules-save" + + # In order for the nftables-restore systemd service to start + # the save_file must exist. + if [[ ! -f "${save_file}" ]]; then + touch "${save_file}" + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" + fi + + elog "If you wish to enable the firewall rules on boot (on systemd) you" + elog "will need to enable the nftables-restore service." + elog " 'systemd_enable_service basic.target ${PN}-restore.service'" + elog + elog "If you are creating firewall rules before the next system restart " + elog "the nftables-restore service must be manually started in order to " + elog "save those rules on shutdown." +} diff --git a/net-firewall/nftables/nftables-0.9.1.ebuild b/net-firewall/nftables/nftables-0.9.1-r1.ebuild index db6f707d58c6..5752d73a1b96 100644 --- a/net-firewall/nftables/nftables-0.9.1.ebuild +++ b/net-firewall/nftables/nftables-0.9.1-r1.ebuild @@ -129,8 +129,14 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. - if [[ ! -f ${save_file} ]]; then - touch ${save_file} + if [[ ! -f "${save_file}" ]]; then + touch "${save_file}" + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" fi elog "If you wish to enable the firewall rules on boot (on systemd) you" diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.2-r1.ebuild index 112b5f0b9afb..d35797947814 100644 --- a/net-firewall/nftables/nftables-0.9.2.ebuild +++ b/net-firewall/nftables/nftables-0.9.2-r1.ebuild @@ -124,8 +124,14 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. - if [[ ! -f ${save_file} ]]; then - touch ${save_file} + if [[ ! -f "${save_file}" ]]; then + touch "${save_file}" + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" fi elog "If you wish to enable the firewall rules on boot (on systemd) you" |