diff options
| author |   Francisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org> | 2019-12-02 19:27:29 +0100 |
|---|---|---|
| committer |   Matthew Thode <prometheanfire@gentoo.org> | 2019-12-02 12:51:45 -0600 |
| commit | e9d9a46d5115e5c75085f335bded4badbce05673 (patch) | |
| tree | 7fa9284d119c996d5b0519a259a365b94e1e1d92 /net-firewall | |
| parent | net-firewall/nftables: Drop vulnerable ebuild (diff) | |
| download | gentoo-e9d9a46d5115e5c75085f335bded4badbce05673.tar.gz gentoo-e9d9a46d5115e5c75085f335bded4badbce05673.tar.bz2 gentoo-e9d9a46d5115e5c75085f335bded4badbce05673.zip | |
net-firewall/nftables: Touch rules-save with right umask
The nftables ebuild contains code to ensure the rules-save
file is created so the service will start on systemd based
systems.
The current code creates the file with default permissions
644 which triggers the code for detecting misconfigured system
added to address bug #691326
Instead of just using touch, start a subshell so we can call
umask beforehand and address the issue.
Bug: https://bugs.gentoo.org/691326
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Package-Manager: Portage-2.3.76, Repoman-2.3.11
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>
Diffstat (limited to 'net-firewall')
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.0-r5.ebuild | 2 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.1-r1.ebuild | 2 | ||||
| -rw-r--r-- | net-firewall/nftables/nftables-0.9.2-r1.ebuild | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/net-firewall/nftables/nftables-0.9.0-r5.ebuild b/net-firewall/nftables/nftables-0.9.0-r5.ebuild index 24530d29291c..2ad8c89d4c73 100644 --- a/net-firewall/nftables/nftables-0.9.0-r5.ebuild +++ b/net-firewall/nftables/nftables-0.9.0-r5.ebuild @@ -84,7 +84,7 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then - touch "${save_file}" + ( umask 177; touch "${save_file}" ) elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then ewarn "Your system has dangerous permissions for ${save_file}" ewarn "It is probably affected by bug #691326." diff --git a/net-firewall/nftables/nftables-0.9.1-r1.ebuild b/net-firewall/nftables/nftables-0.9.1-r1.ebuild index 5752d73a1b96..ef662d78f716 100644 --- a/net-firewall/nftables/nftables-0.9.1-r1.ebuild +++ b/net-firewall/nftables/nftables-0.9.1-r1.ebuild @@ -130,7 +130,7 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then - touch "${save_file}" + ( umask 177; touch "${save_file}" ) elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then ewarn "Your system has dangerous permissions for ${save_file}" ewarn "It is probably affected by bug #691326." diff --git a/net-firewall/nftables/nftables-0.9.2-r1.ebuild b/net-firewall/nftables/nftables-0.9.2-r1.ebuild index d35797947814..f8649c46afaf 100644 --- a/net-firewall/nftables/nftables-0.9.2-r1.ebuild +++ b/net-firewall/nftables/nftables-0.9.2-r1.ebuild @@ -125,7 +125,7 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then - touch "${save_file}" + ( umask 177; touch "${save_file}" ) elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then ewarn "Your system has dangerous permissions for ${save_file}" ewarn "It is probably affected by bug #691326." |