Bug#807442: patch
On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> > --- s390-tools-1.32.0/debian/changelog 2015-10-25 17:12:02.000000000 +0100
> > +++ s390-tools-1.32.0/debian/changelog 2015-12-08 23:14:52.000000000 +0100
> > @@ -1,3 +1,9 @@
> > +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> > +
> > + * Add dbginfo.sh. (Closes: #807442)
> > +
> > + -- dann frazier <dannf@debian.org> Tue, 08 Dec 2015 22:33:52 +0100
> > +
> > s390-tools (1.32.0-1) unstable; urgency=medium
> >
> > * New upstream release
> > diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> > --- s390-tools-1.32.0/debian/s390-tools.install 2014-07-26 23:59:18.000000000 +0200
> > +++ s390-tools-1.32.0/debian/s390-tools.install 2015-12-08 23:08:30.000000000 +0100
> > @@ -10,6 +10,10 @@
> > /sbin/dasdview
> > /usr/share/man/man8/dasdview.8
> >
> > +# dbginfo.sh
> > +/sbin/dbginfo.sh
> > +/usr/share/man/man1/dbginfo.sh.1
> > +
> > # fdasd
> > /sbin/fdasd
> > /usr/share/man/man8/fdasd.8
>
> Three comments:
>
> * dbginfo.sh should tell the user that the information in the tarball
> is sensitive.
> * The resulting tarball should be 0600 by default. (The script needs
> to run as root anyway, but placing the result world-readable in
> /tmp does not seem smart.)
> * Unless this is expected to be in /sbin, given that it's user
> invoked and not usually scripted, should this be in /usr/sbin
> instead?
Good feedback, thanks Philipp! I've addressed all 3 issues in the
attached updated patch.
diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
--- s390-tools-1.32.0/debian/changelog 2015-12-13 09:50:48.000000000 -0500
+++ s390-tools-1.32.0/debian/changelog 2016-01-29 12:56:29.000000000 -0500
@@ -1,3 +1,12 @@
+s390-tools (1.32.0-3) UNRELEASED; urgency=medium
+
+ * Add dbginfo.sh. (Closes: #807442, LP: #1539719)
+ - dbginfo.sh-umask.patch: Avoid leaking content to unprivileged users.
+ - dbginfo.sh-warn.patch: Warn users about the sensitivity of the data
+ this tool collects.
+
+ -- dann frazier <dannf@debian.org> Fri, 29 Jan 2016 12:49:16 -0500
+
s390-tools (1.32.0-2) unstable; urgency=medium
[ Hendrik Brueckner ]
diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch
--- s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch 1969-12-31 19:00:00.000000000 -0500
+++ s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch 2016-01-29 12:21:06.000000000 -0500
@@ -0,0 +1,16 @@
+Description: dbginfo.sh: set umask to prevent local leaks of sensitive data
+Author: dann frazier <dannf@debian.org>
+Last-Update: 2016-01-29
+
+Index: s390-tools-1.32.0/scripts/dbginfo.sh
+===================================================================
+--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
++++ s390-tools-1.32.0/scripts/dbginfo.sh
+@@ -12,6 +12,7 @@ export LC_ALL
+ # The general name of this script
+ readonly SCRIPTNAME="${0##*/}"
+
++umask 0077
+
+ ########################################
+ # print version info
diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch
--- s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch 1969-12-31 19:00:00.000000000 -0500
+++ s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch 2016-01-29 12:32:51.000000000 -0500
@@ -0,0 +1,38 @@
+Description: dbginfo.sh: Sensitivity training
+ Warn users that the archive this tool generates contains sensitive data,
+ and give them an opportunity to exit.
+Author: dann frazier <dannf@debian.org>
+Last-Update: 2016-01-29
+
+Index: s390-tools-1.32.0/scripts/dbginfo.sh
+===================================================================
+--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
++++ s390-tools-1.32.0/scripts/dbginfo.sh
+@@ -71,6 +71,27 @@ if test "$(/usr/bin/id -u 2>/dev/null)"
+ exit 1
+ fi
+
++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
++echo " Warning: The archive created by this utility will contain sensitive"
++echo " information including, but not limited to:"
++echo " - configuration files"
++echo " - log files"
++echo " - hardware state information"
++echo " - running process state and command line arguments"
++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
++echo ""
++echo -n " Do you wish to continue? [y/N]> "
++read resp
++case "$resp" in
++ y|Y)
++ :
++ ;;
++ *)
++ echo "OK, exiting."
++ exit 0
++esac
++
++
+ #######################################
+ # Parsing the command line
+ #
diff -Nru s390-tools-1.32.0/debian/patches/series s390-tools-1.32.0/debian/patches/series
--- s390-tools-1.32.0/debian/patches/series 2015-12-13 09:41:14.000000000 -0500
+++ s390-tools-1.32.0/debian/patches/series 2016-01-29 12:21:21.000000000 -0500
@@ -6,3 +6,5 @@
zipl-optional.patch
disable.patch
sg3-utils.patch
+dbginfo.sh-umask.patch
+dbginfo.sh-warn.patch
diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
--- s390-tools-1.32.0/debian/s390-tools.install 2015-12-13 09:47:24.000000000 -0500
+++ s390-tools-1.32.0/debian/s390-tools.install 2016-01-29 12:40:00.000000000 -0500
@@ -10,6 +10,10 @@
/sbin/dasdview
/usr/share/man/man8/dasdview.8
+# dbginfo.sh
+/sbin/dbginfo.sh /usr/sbin
+/usr/share/man/man1/dbginfo.sh.1
+
# fdasd
/sbin/fdasd
/usr/share/man/man8/fdasd.8
Reply to: