Date: Sun, 18 Aug 2019 13:03:57 +0000 (UTC) From: Rodrigo Osorio <rodrigo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r509206 - in branches/2019Q3/net/rtg: . files Message-ID: <201908181303.x7ID3vMc058419@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rodrigo Date: Sun Aug 18 13:03:57 2019 New Revision: 509206 URL: https://svnweb.freebsd.org/changeset/ports/509206 Log: MFH: r507219 Patch createdb script to avoid race condition / file tampering During the initialization net/rtg uses the /tmp/mysql.sql and /tmp/rtg.sql to store the SQL commands executed in the database with special user privileges. Using well known files can lead to a race condition between two process who uses the same file names and allow file tampering by a malicious user. This fix uses mktemp command to create temporary files in a safe way PR: 238262 Submitted by: rodrigo Approved by: freebsd-ports@dan.me.uk (maintainer timeout) Approved by: ports-secteam (miwi@) Modified: branches/2019Q3/net/rtg/Makefile branches/2019Q3/net/rtg/files/patch-etc_createdb.in Directory Properties: branches/2019Q3/ (props changed) Modified: branches/2019Q3/net/rtg/Makefile ============================================================================== --- branches/2019Q3/net/rtg/Makefile Sun Aug 18 12:46:07 2019 (r509205) +++ branches/2019Q3/net/rtg/Makefile Sun Aug 18 13:03:57 2019 (r509206) @@ -3,7 +3,7 @@ PORTNAME= rtg PORTVERSION= 0.7.4 -PORTREVISION= 18 +PORTREVISION= 19 CATEGORIES= net MASTER_SITES= SF \ ftp://ftpmirror.uk/freebsd-ports/rtg/ Modified: branches/2019Q3/net/rtg/files/patch-etc_createdb.in ============================================================================== --- branches/2019Q3/net/rtg/files/patch-etc_createdb.in Sun Aug 18 12:46:07 2019 (r509205) +++ branches/2019Q3/net/rtg/files/patch-etc_createdb.in Sun Aug 18 13:03:57 2019 (r509206) @@ -1,20 +1,32 @@ ---- etc/createdb.in.orig 2018-04-02 22:52:32 UTC +--- etc/createdb.in.orig 2003-01-22 19:07:02 UTC +++ etc/createdb.in -@@ -23,11 +23,8 @@ echo "" +@@ -15,6 +15,8 @@ + RTGPASS="rtgdefault" + DATABASE="rtg" + USER="snmp" ++MYSQL_FILE=`mktemp -q /tmp/mysql.XXXXXX` ++RTG_FILE=`mktemp -q /tmp/rtg.XXXXXX` + echo "" + echo "$0 setting up MySQL database for RTG." +@@ -22,103 +24,98 @@ + echo "" + # Create the necessary SQL in two /tmp files - cat <<EOT >/tmp/mysql.sql +-cat <<EOT >/tmp/mysql.sql -INSERT INTO user (Host, User, Password) VALUES ('$HOST','$USER',PASSWORD("$RTGPASS")); -INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv, Delete_priv, -Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv, Alter_priv) -VALUES ('$HOST','$DATABASE','$USER','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'); -FLUSH PRIVILEGES; ++cat <<EOT >$MYSQL_FILE +CREATE USER '$USER'@'$HOST' IDENTIFIED BY '$RTG_PASS'; +GRANT ALL ON '$DATABASE'.* TO '$USER'@'$HOST'; EOT - cat <<EOT >/tmp/rtg.sql -@@ -35,81 +32,81 @@ cat <<EOT >/tmp/rtg.sql +-cat <<EOT >/tmp/rtg.sql ++cat <<EOT >$RTG_FILE + # # Table structure for table 'router' # @@ -135,12 +147,14 @@ ); EOT -@@ -117,8 +114,6 @@ echo "Adding user \"$USER\" to MySQL dat - cat /tmp/mysql.sql | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql + echo "Adding user \"$USER\" to MySQL database..." +-cat /tmp/mysql.sql | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql ++cat $MYSQL_FILE | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql echo "Creating RTG database \"$DATABASE\"..." $MYSQLBIN/mysqladmin -u root -p$ROOTPASS create $DATABASE -echo "Reloading MySQL privileges..." -$MYSQLBIN/mysqladmin -u root -p$ROOTPASS flush-privileges echo "Creating RTG tables..." - cat /tmp/rtg.sql | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE +-cat /tmp/rtg.sql | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE ++cat $RTG_FILE | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE echo "Done."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908181303.x7ID3vMc058419>