packages/bash
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

the mayexec function no longer checks cmdline each time that verifies whether a script are allowed to run

Browse Source
This commit is contained in:
wangyuhang 2024-11-18 20:07:16 +08:00
parent e32bc09f2b
commit d486c0c28b
2 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
bash.spec
View File

@ -1,6 +1,8 @@
%define enable_safecheck 1
Name: bash Name: bash
Version: 5.2.15 Version: 5.2.15
Release: 10 Release: 11
Summary: It is the Bourne Again Shell Summary: It is the Bourne Again Shell
License: GPLv3 License: GPLv3
URL: https://www.gnu.org/software/bash URL: https://www.gnu.org/software/bash
@ -35,7 +37,9 @@ Patch6007: backport-renamed-several-functions-beginning-with-legal_-chan.patch
Patch6008: backport-fix-for-cd-when-curent-directory-doesn-t-exist-fix-w.patch Patch6008: backport-fix-for-cd-when-curent-directory-doesn-t-exist-fix-w.patch
Patch6009: Fix-for-a-crash-if-one-of-the-expressions-in-an-arit.patch Patch6009: Fix-for-a-crash-if-one-of-the-expressions-in-an-arit.patch
%if %{enable_safecheck}
Patch9000: only-scripts-verified-by-execveat-are-allowed-to-run.patch Patch9000: only-scripts-verified-by-execveat-are-allowed-to-run.patch
%endif
BuildRequires: gcc bison texinfo autoconf ncurses-devel BuildRequires: gcc bison texinfo autoconf ncurses-devel
# Required for bash tests # Required for bash tests
@ -164,6 +168,9 @@ make check
%exclude %{_infodir}/dir %exclude %{_infodir}/dir
%changelog %changelog
* Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-11
- the mayexec function no longer checks cmdline each time that verifies whether a script are allowed to run
* Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-10 * Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-10
- only scripts verified by execveat are allowed to run - only scripts verified by execveat are allowed to run

20
only-scripts-verified-by-execveat-are-allowed-to-run.patch
View File

@ -4,13 +4,13 @@ Date: Fri, 15 Nov 2024 15:52:35 +0800
Subject: [PATCH] only scripts verified by execveat are allowed to run Subject: [PATCH] only scripts verified by execveat are allowed to run
--- ---
builtins/common.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ builtins/common.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++
builtins/common.h | 7 +++++++ builtins/common.h | 7 +++++++
shell.c | 4 ++++ shell.c | 4 ++++
3 files changed, 58 insertions(+) 3 files changed, 60 insertions(+)
diff --git a/builtins/common.c b/builtins/common.c diff --git a/builtins/common.c b/builtins/common.c
index 19b00c4..ba89d6e 100644 index 19b00c4..287e6da 100644
--- a/builtins/common.c --- a/builtins/common.c
+++ b/builtins/common.c +++ b/builtins/common.c
@@ -34,6 +34,7 @@ @@ -34,6 +34,7 @@
@ -21,7 +21,7 @@ index 19b00c4..ba89d6e 100644
#if defined (PREFER_STDARG) #if defined (PREFER_STDARG)
# include <stdarg.h> # include <stdarg.h>
@@ -1129,3 +1130,49 @@ set_expand_once (nval, uwp) @@ -1129,3 +1130,51 @@ set_expand_once (nval, uwp)
return oa; return oa;
} }
#endif #endif
@ -31,16 +31,19 @@ index 19b00c4..ba89d6e 100644
+ const char *filename; + const char *filename;
+ int fd; + int fd;
+{ +{
+ static int exec_check = -1;
+ int ret = 0; + int ret = 0;
+ +
+ if (!proc_cmdline_get("exec_check.bash", "1")) + if (exec_check == -1)
+ exec_check = proc_cmdline_get("exec_check.bash", "1");
+
+ if (!exec_check)
+ return 0; + return 0;
+ +
+ ret = execveat(fd, "", NULL, NULL, AT_CHECK | AT_EMPTY_PATH); + ret = execveat(fd, "", NULL, NULL, AT_CHECK | AT_EMPTY_PATH);
+ +
+ if (ret < 0) { + if (ret < 0)
+ builtin_error (_("[%d] denied sourcing non-executable %s"), getpid(), filename); + builtin_error (_("[%d] denied sourcing non-executable %s"), getpid(), filename);
+ }
+ +
+ return ret; + return ret;
+} +}
@ -61,10 +64,9 @@ index 19b00c4..ba89d6e 100644
+ } + }
+ +
+ if (getline(&line, &len, file) != -1) { + if (getline(&line, &len, file) != -1) {
+ if (strstr(line, search_string)) { + if (strstr(line, search_string))
+ ret = 1; + ret = 1;
+ } + }
+ }
+ +
+ free(line); + free(line);
+ fclose(file); + fclose(file);