diff options
Diffstat (limited to 'meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch')
-rw-r--r-- | meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch | 264 |
1 files changed, 0 insertions, 264 deletions
diff --git a/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch b/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch deleted file mode 100644 index 7b1f82d577..0000000000 --- a/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch +++ /dev/null @@ -1,264 +0,0 @@ -commit 7e67d082737b3df4788caf85fedd607b3acd9786 -Author: Peter Seebach <peter.seebach@windriver.com> -Date: Fri May 16 15:53:06 2014 -0500 - - permissions updates: improve fchmodat, mask out write bits - - Upstream-Status: Backport of several patches from 1.6 branch, - combined. - - Backport from pseudo 1.6 of improvements to fchmodat (handle - AT_SYMLINK_NOFOLLOW by rejecting it if the host system does, - to make GNU tar happier), also mask out write bits from filesystem - modes to avoid security problems. - - Also start tracking umask so we can use the right modes for - open, mkdir, and mknod. - - The 1.6 patches are: - - 87c53ea58befef48677846693aab445df1850e16 - 3c716e0bab4f0cfe4be84caa9ce5fd5e3f5e2a23 - c98e4f43b5d6499748a5057134408f4ba4854fb4 - 2f71a021b725c1aa415439209a89327f0b997d02 - 14925786b55202d8147b0af719038e8a23ef73c0 - -diff --git a/ChangeLog.txt b/ChangeLog.txt -index 113f675..cc966ce 100644 ---- a/ChangeLog.txt -+++ b/ChangeLog.txt -@@ -1,3 +1,18 @@ -+2014-05-27: -+ * (seebs) start noticing umask, mask it out from open or mkdir -+ calls rather than relying on underlying open/mkdir to do it. -+ -+2014-05-16: -+ * (seebs) fchmodat: don't drop flags, report failures, to improve -+ compatibility/consistency. Cache the knowledge that -+ AT_SYMLINK_NOFOLLOW gets ENOTSUP. -+ * (seebs) mask out group/other write bits in real filesystem to -+ reduce risks when assembling a rootfs including world-writeable -+ directories. -+ -+2014-05-15: -+ * (seebs) drop flags when calling fchmodat() to appease GNU tar. -+ - 2013-02-27: - * (seebs) Oh, hey, what if I took out my debug messages? - * (seebs) update docs a bit to reduce bitrot -diff --git a/makewrappers b/makewrappers -index e87cc56..0127766 100755 ---- a/makewrappers -+++ b/makewrappers -@@ -204,6 +204,7 @@ class Function: - 'uid_t': '0', - 'int': '-1', - 'long': '-1', -+ 'mode_t': '0', - 'ssize_t': '-1' - } - -diff --git a/ports/darwin/guts/open.c b/ports/darwin/guts/open.c -index c66cc15..520bb70 100644 ---- a/ports/darwin/guts/open.c -+++ b/ports/darwin/guts/open.c -@@ -9,6 +9,9 @@ - struct stat buf = { }; - int existed = 1; - int save_errno; -+ -+ /* mask out mode bits appropriately */ -+ mode = mode & ~pseudo_umask; - #ifdef PSEUDO_FORCE_ASYNCH - flags &= ~O_SYNC; - #endif -diff --git a/ports/linux/guts/__xmknodat.c b/ports/linux/guts/__xmknodat.c -index 59b4f2f..0888b8a 100644 ---- a/ports/linux/guts/__xmknodat.c -+++ b/ports/linux/guts/__xmknodat.c -@@ -9,6 +9,9 @@ - pseudo_msg_t *msg; - struct stat64 buf; - -+ /* mask out mode bits appropriately */ -+ mode = mode & ~pseudo_umask; -+ - /* we don't use underlying call, so _ver is irrelevant to us */ - (void) ver; - -diff --git a/ports/linux/guts/openat.c b/ports/linux/guts/openat.c -index 8460073..4053549 100644 ---- a/ports/linux/guts/openat.c -+++ b/ports/linux/guts/openat.c -@@ -10,6 +10,9 @@ - int existed = 1; - int save_errno; - -+ /* mask out mode bits appropriately */ -+ mode = mode & ~pseudo_umask; -+ - #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS - if (dirfd != AT_FDCWD) { - errno = ENOSYS; -diff --git a/ports/unix/guts/fchmodat.c b/ports/unix/guts/fchmodat.c -index 59a92ce..69a953c 100644 ---- a/ports/unix/guts/fchmodat.c -+++ b/ports/unix/guts/fchmodat.c -@@ -8,6 +8,7 @@ - */ - PSEUDO_STATBUF buf; - int save_errno = errno; -+ static int picky_fchmodat = 0; - - #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS - if (dirfd != AT_FDCWD) { -@@ -15,6 +16,16 @@ - return -1; - } - if (flags & AT_SYMLINK_NOFOLLOW) { -+ /* Linux, as of this writing, will always reject this. -+ * GNU tar relies on getting the rejection. To cut down -+ * on traffic, we check for the failure, and if we saw -+ * a failure previously, we reject it right away and tell -+ * the caller to retry. -+ */ -+ if (picky_fchmodat) { -+ errno = ENOTSUP; -+ return -1; -+ } - rc = base_lstat(path, &buf); - } else { - rc = base_stat(path, &buf); -@@ -50,13 +61,22 @@ - - /* user bits added so "root" can always access files. */ - #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS -- /* note: if path was a symlink, and AT_NOFOLLOW_SYMLINKS was -+ /* note: if path was a symlink, and AT_SYMLINK_NOFOLLOW was - * specified, we already bailed previously. */ - real_chmod(path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode))); - #else -- real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); -+ rc = real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); -+ /* AT_SYMLINK_NOFOLLOW isn't supported by fchmodat. GNU tar -+ * tries to use it anyway, figuring it can just retry if that -+ * fails. So we want to report that *particular* failure instead -+ * of doing the fallback. -+ */ -+ if (rc == -1 && errno == ENOTSUP && (flags & AT_SYMLINK_NOFOLLOW)) { -+ picky_fchmodat = 1; -+ return -1; -+ } - #endif -- /* we ignore a failure from underlying fchmod, because pseudo -+ /* we otherwise ignore failures from underlying fchmod, because pseudo - * may believe you are permitted to change modes that the filesystem - * doesn't. Note that we also don't need to know whether the - * file might be a (pseudo) block device or some such; pseudo -diff --git a/ports/unix/guts/mkdirat.c b/ports/unix/guts/mkdirat.c -index e846b70..e0b6af9 100644 ---- a/ports/unix/guts/mkdirat.c -+++ b/ports/unix/guts/mkdirat.c -@@ -6,11 +6,14 @@ - * wrap_mkdirat(int dirfd, const char *path, mode_t mode) { - * int rc = -1; - */ -+ /* mask out mode bits appropriately */ -+ mode = mode & ~pseudo_umask; - #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS - if (dirfd != AT_FDCWD) { - errno = ENOSYS; - return -1; - } -+ - rc = real_mkdir(path, PSEUDO_FS_MODE(mode, 1)); - #else - rc = real_mkdirat(dirfd, path, PSEUDO_FS_MODE(mode, 1)); -diff --git a/ports/unix/guts/mknodat.c b/ports/unix/guts/mknodat.c -index 6fd5b42..5d8d47c 100644 ---- a/ports/unix/guts/mknodat.c -+++ b/ports/unix/guts/mknodat.c -@@ -10,6 +10,9 @@ - PSEUDO_STATBUF buf; - int save_errno = errno; - -+ /* mask out mode bits appropriately */ -+ mode = mode & ~pseudo_umask; -+ - #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS - if (dirfd != AT_FDCWD) { - errno = ENOSYS; -diff --git a/ports/unix/guts/umask.c b/ports/unix/guts/umask.c -new file mode 100644 -index 0000000..6b060d3 ---- /dev/null -+++ b/ports/unix/guts/umask.c -@@ -0,0 +1,14 @@ -+/* -+ * Copyright (c) 2014 Wind River Systems; see -+ * guts/COPYRIGHT for information. -+ * -+ * mode_t umask(mode_t mask) -+ * mode_t rc = 0; -+ */ -+ -+ pseudo_umask = mask; -+ rc = real_umask(mask); -+ -+/* return rc; -+ * } -+ */ -diff --git a/ports/unix/wrapfuncs.in b/ports/unix/wrapfuncs.in -index 8460a65..e0e9739 100644 ---- a/ports/unix/wrapfuncs.in -+++ b/ports/unix/wrapfuncs.in -@@ -67,3 +67,4 @@ void sync(void); /* async_skip= */ - int syncfs(int fd); /* async_skip=0 */ - int sync_file_range(int fd, off64_t offset, off64_t nbytes, unsigned int flags); /* async_skip=0 */ - int msync(void *addr, size_t length, int flags); /* async_skip=0 */ -+mode_t umask(mode_t mask); -diff --git a/pseudo_client.c b/pseudo_client.c -index b6d11a6..535c810 100644 ---- a/pseudo_client.c -+++ b/pseudo_client.c -@@ -71,6 +71,8 @@ int pseudo_disabled = 0; - int pseudo_allow_fsync = 0; - static int pseudo_local_only = 0; - -+int pseudo_umask = 022; -+ - static char **fd_paths = NULL; - static int nfds = 0; - static int messages = 0; -@@ -219,6 +221,9 @@ pseudo_init_client(void) { - if (!pseudo_disabled && !pseudo_inited) { - char *pseudo_path = 0; - -+ pseudo_umask = umask(022); -+ umask(pseudo_umask); -+ - pseudo_path = pseudo_prefix_path(NULL); - if (pseudo_prefix_dir_fd == -1) { - if (pseudo_path) { -diff --git a/pseudo_client.h b/pseudo_client.h -index f36a772..5bf820e 100644 ---- a/pseudo_client.h -+++ b/pseudo_client.h -@@ -72,6 +72,8 @@ extern char *pseudo_passwd; - extern size_t pseudo_chroot_len; - extern int pseudo_nosymlinkexp; - -+extern int pseudo_umask; -+ - /* Root can read and write files, and enter directories which have no - * read, write, or execute permissions. (But can't execute files without - * execute permissions!) -@@ -85,6 +87,6 @@ extern int pseudo_nosymlinkexp; - * None of this will behave very sensibly if umask has 0700 bits in it; - * this is a known limitation. - */ --#define PSEUDO_FS_MODE(mode, isdir) ((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) --#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0700) | ((user_mode & 0700))) -+#define PSEUDO_FS_MODE(mode, isdir) (((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) -+#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0722) | ((user_mode & 0722))) - |