git: c55000e7c233 - releng/14.2 - etcupdate: Restrict access to the conflicts directory
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Jan 2025 18:54:57 UTC
The branch releng/14.2 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=c55000e7c233573bae396df6099dcfc564abdcb7
commit c55000e7c233573bae396df6099dcfc564abdcb7
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-01-28 14:23:06 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-01-29 17:27:37 +0000
etcupdate: Restrict access to the conflicts directory
In the window during conflict resolution, copies of installed files with
conflicts are added here with the default mode. Restrict access.
Approved by: so
Security: FreeBSD-SA-25:03.etcupdate
PR: 277470
Reviewed by: philip, jhb, emaste
Differential Revision: https://reviews.freebsd.org/D48576
(cherry picked from commit c43ae7ab4bf89c2b274c1cbefe663c456e9211d1)
(cherry picked from commit 93836ff92be84a1d4e7611577ffe116a0e30d008)
---
usr.sbin/etcupdate/etcupdate.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh
index 39d1f9e56a54..7bddd6593b56 100755
--- a/usr.sbin/etcupdate/etcupdate.sh
+++ b/usr.sbin/etcupdate/etcupdate.sh
@@ -1611,6 +1611,9 @@ EOF
# Initialize conflicts and warnings handling.
rm -f $WARNINGS
mkdir -p $CONFLICTS
+ if ! chmod 0700 ${CONFLICTS}; then
+ panic "Unable to set permissions on conflicts directory"
+ fi
# Ignore removed files for the pre-world case. A pre-world
# update uses a stripped-down tree.