rpm-ostree-fix-shadow-mode: Also fix previous deployments

The fix in coreos#4911 for CVE-2024-2905 only fixes the permissions for the current deployment and not for previous deployments for existing installations. The affected files can still be read from the previous deployment by looking at them in `/sysroot/ostree/deploy/...`. Extend the logic to fix all deployments on the system and update the logic to only update files that exists. See: coreos#4911 See: GHSA-2m76-cwhg-7wv6 See: ostreedev/ostree#3211
travier · Apr 12, 2024 · d7917e1 · d7917e1
1 parent 644fda9
commit d7917e1
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 4 deletions.
diff --git a/rust/src/internals.rs b/rust/src/internals.rs
@@ -0,0 +1,43 @@
+//! Internal commands for one off fixes.
+
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+
+use anyhow::{bail, Context, Result};
+use std::path;
+
+use crate::core::OSTREE_BOOTED;
+
+/// Stamp file used to avoid repeating this on every boot
+const STAMP_FILE: &str = "/etc/.rpm-ostree-shadow-mode-fixed2.stamp";
+
+/// Main entrypoint for the hidden "internals" sub command.
+/// Supported sub-commands:
+/// - fix-shadow: Fix mode on /etc/[g]shadow[-] files in all deployments (CVE-2024-2905)
+pub fn entrypoint(_args: &[&str]) -> Result<()> {
+    // Skip if we are not run on an ostree booted system
+    if !path::Path::new(OSTREE_BOOTED).exists() {
+        bail!("Not running on an ostree based system");
+    }
+
+    // Skip if we are not running as root
+    if rustix::process::geteuid().as_raw() != 0 {
+        bail!("Must run as root");
+    }
+
+    // Iterate over all deployments and fix mode on /etc/[g]shadow[-]
+
+    // Touch stamp file
+    // touch /etc/.rpm-ostree-shadow-mode-fixed2.stamp
+    let statedir = Dir::open_ambient_dir(STATE_DIR, cap_std::ambient_authority())?;
+    statedir.atomic_replace_with(COUNTME_COOKIE, |w| -> Result<_> {
+        Ok(serde_json::to_writer(w, &cookie)?)
+    });
+
+    println!("Successful requests: {}/{}", successful, repos.len());
+    if let Err(e) = cookie.persist() {
+        // Do not exit with a non zero code here as we have still made at least
+        // one successful request thus we have been counted.
+        eprintln!("Failed to persist cookie: {}", e);
+    }
+    Ok(())
+}
diff --git a/rust/src/main.rs b/rust/src/main.rs
@@ -29,6 +29,7 @@ async fn inner_async_main(args: Vec<String>) -> Result<i32> {
                 // Add custom Rust commands here, and also in `libmain.cxx` if user-visible.
                 "countme" => rpmostree_rust::countme::entrypoint(args).map(|_| 0),
                 "cliwrap" => rpmostree_rust::cliwrap::entrypoint(args).map(|_| 0),
+                "internals" => rpmostree_rust::internals::entrypoint(args).map(|_| 0),
                 // A hidden wrapper to intercept some binaries in RPM scriptlets.
                 "scriptlet-intercept" => builtins::scriptlet_intercept::entrypoint(args).map(|_| 0),
                 // This is a deprecated entrypoint

diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -3,17 +3,17 @@
 # This makes sure to fix permissions on systems that were deployed with the wrong permissions.
 Description=Update permissions for /etc/shadow
 Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
-ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed2.stamp
 ConditionPathExists=/run/ostree-booted
 # Make sure this is started before any unprivileged (interactive) user has access to the system.
 Before=systemd-user-sessions.service
 
 [Service]
 Type=oneshot
-ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
-ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
-ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+ExecStart=rpm-ostree internals fix-shadow
 RemainAfterExit=yes
+# The MountFlags=slave is so we remount /sysroot temporarily writable
+MountFlags=slave
 
 [Install]
 WantedBy=multi-user.target