diff options
author | Rodrigo Osorio <rodrigo@FreeBSD.org> | 2019-07-23 14:47:15 +0000 |
---|---|---|
committer | Rodrigo Osorio <rodrigo@FreeBSD.org> | 2019-07-23 14:47:15 +0000 |
commit | 4a551ab4491c8ed28cb3774a1bde3f64eca599b4 (patch) | |
tree | 88fdae74304c5eaf30dafd55b28e4c12c5c2a87d /net/rtg | |
parent | 074cabd268134819287c9a12ec21d65de05b8d3c (diff) | |
download | ports-4a551ab4491c8ed28cb3774a1bde3f64eca599b4.tar.gz ports-4a551ab4491c8ed28cb3774a1bde3f64eca599b4.zip |
Patch createdb script to avoid race condition / file tampering
During the initialization net/rtg uses the /tmp/mysql.sql
and /tmp/rtg.sql to store the SQL commands executed in the
database with special user privileges.
Using well known files can lead to a race condition between
two process who uses the same file names and allow file
tampering by a malicious user.
This fix uses mktemp command to create temporary files
in a safe way
PR: 238262
Submitted by: rodrigo
Approved by: freebsd-ports@dan.me.uk (maintainer timeout)
MFH: 2019Q3
Notes
Notes:
svn path=/head/; revision=507219
Diffstat (limited to 'net/rtg')
-rw-r--r-- | net/rtg/Makefile | 2 | ||||
-rw-r--r-- | net/rtg/files/patch-etc_createdb.in | 30 |
2 files changed, 23 insertions, 9 deletions
diff --git a/net/rtg/Makefile b/net/rtg/Makefile index df20a5ed0944..33a5f6117802 100644 --- a/net/rtg/Makefile +++ b/net/rtg/Makefile @@ -3,7 +3,7 @@ PORTNAME= rtg PORTVERSION= 0.7.4 -PORTREVISION= 18 +PORTREVISION= 19 CATEGORIES= net MASTER_SITES= SF \ ftp://ftpmirror.uk/freebsd-ports/rtg/ diff --git a/net/rtg/files/patch-etc_createdb.in b/net/rtg/files/patch-etc_createdb.in index 4c9826397a6b..ae06e2bf8b9e 100644 --- a/net/rtg/files/patch-etc_createdb.in +++ b/net/rtg/files/patch-etc_createdb.in @@ -1,20 +1,32 @@ ---- etc/createdb.in.orig 2018-04-02 22:52:32 UTC +--- etc/createdb.in.orig 2003-01-22 19:07:02 UTC +++ etc/createdb.in -@@ -23,11 +23,8 @@ echo "" +@@ -15,6 +15,8 @@ + RTGPASS="rtgdefault" + DATABASE="rtg" + USER="snmp" ++MYSQL_FILE=`mktemp -q /tmp/mysql.XXXXXX` ++RTG_FILE=`mktemp -q /tmp/rtg.XXXXXX` + + echo "" + echo "$0 setting up MySQL database for RTG." +@@ -22,103 +24,98 @@ + echo "" # Create the necessary SQL in two /tmp files - cat <<EOT >/tmp/mysql.sql +-cat <<EOT >/tmp/mysql.sql -INSERT INTO user (Host, User, Password) VALUES ('$HOST','$USER',PASSWORD("$RTGPASS")); -INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv, Delete_priv, -Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv, Alter_priv) -VALUES ('$HOST','$DATABASE','$USER','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'); -FLUSH PRIVILEGES; ++cat <<EOT >$MYSQL_FILE +CREATE USER '$USER'@'$HOST' IDENTIFIED BY '$RTG_PASS'; +GRANT ALL ON '$DATABASE'.* TO '$USER'@'$HOST'; EOT - cat <<EOT >/tmp/rtg.sql -@@ -35,81 +32,81 @@ cat <<EOT >/tmp/rtg.sql +-cat <<EOT >/tmp/rtg.sql ++cat <<EOT >$RTG_FILE + # # Table structure for table 'router' # @@ -135,12 +147,14 @@ ); EOT -@@ -117,8 +114,6 @@ echo "Adding user \"$USER\" to MySQL dat - cat /tmp/mysql.sql | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql + echo "Adding user \"$USER\" to MySQL database..." +-cat /tmp/mysql.sql | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql ++cat $MYSQL_FILE | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql echo "Creating RTG database \"$DATABASE\"..." $MYSQLBIN/mysqladmin -u root -p$ROOTPASS create $DATABASE -echo "Reloading MySQL privileges..." -$MYSQLBIN/mysqladmin -u root -p$ROOTPASS flush-privileges echo "Creating RTG tables..." - cat /tmp/rtg.sql | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE +-cat /tmp/rtg.sql | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE ++cat $RTG_FILE | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE echo "Done." |