Prevent path traversal outside of $airootfs_dir
This commit is contained in:
parent
42d9e4f983
commit
183ae52792
@ -268,11 +268,15 @@ _make_custom_airootfs() {
|
|||||||
# Set ownership and mode for files and directories
|
# Set ownership and mode for files and directories
|
||||||
for filename in "${!file_permissions[@]}"; do
|
for filename in "${!file_permissions[@]}"; do
|
||||||
IFS=':' read -ra permissions <<< "${file_permissions["${filename}"]}"
|
IFS=':' read -ra permissions <<< "${file_permissions["${filename}"]}"
|
||||||
if [[ -e "${airootfs_dir}${filename}" ]]; then
|
# Prevent file path traversal outside of $airootfs_dir
|
||||||
chown -fh -- "${permissions[0]}:${permissions[1]}" "${airootfs_dir}${filename}"
|
if [[ "$(realpath -q -- "${airootfs_dir}${filename}")" != "${airootfs_dir}"* ]]; then
|
||||||
chmod -f -- "${permissions[2]}" "${airootfs_dir}${filename}"
|
_msg_error "Failed to set permissions on '${airootfs_dir}${filename}'. Outside of valid path." 1
|
||||||
else
|
# Warn if the file does not exist
|
||||||
|
elif [[ ! -e "${airootfs_dir}${filename}" ]]; then
|
||||||
_msg_warning "Cannot change permissions of '${airootfs_dir}${filename}'. The file or directory does not exist."
|
_msg_warning "Cannot change permissions of '${airootfs_dir}${filename}'. The file or directory does not exist."
|
||||||
|
else
|
||||||
|
echo chown -fh -- "${permissions[0]}:${permissions[1]}" "${airootfs_dir}${filename}"
|
||||||
|
echo chmod -f -- "${permissions[2]}" "${airootfs_dir}${filename}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
_msg_info "Done!"
|
_msg_info "Done!"
|
||||||
@ -309,15 +313,22 @@ _make_customize_airootfs() {
|
|||||||
if [[ -e "${profile}/airootfs/etc/passwd" ]]; then
|
if [[ -e "${profile}/airootfs/etc/passwd" ]]; then
|
||||||
_msg_info "Copying /etc/skel/* to user homes..."
|
_msg_info "Copying /etc/skel/* to user homes..."
|
||||||
while IFS=':' read -a passwd -r; do
|
while IFS=':' read -a passwd -r; do
|
||||||
|
# Only operate on UIDs in range 1000–59999
|
||||||
(( passwd[2] >= 1000 && passwd[2] < 60000 )) || continue
|
(( passwd[2] >= 1000 && passwd[2] < 60000 )) || continue
|
||||||
|
# Skip invalid home directories
|
||||||
[[ "${passwd[5]}" == '/' ]] && continue
|
[[ "${passwd[5]}" == '/' ]] && continue
|
||||||
[[ -z "${passwd[5]}" ]] && continue
|
[[ -z "${passwd[5]}" ]] && continue
|
||||||
|
# Prevent path traversal outside of $airootfs_dir
|
||||||
|
if [[ "$(realpath -q -- "${airootfs_dir}${passwd[5]}")" == "${airootfs_dir}"* ]]; then
|
||||||
if [[ ! -d "${airootfs_dir}${passwd[5]}" ]]; then
|
if [[ ! -d "${airootfs_dir}${passwd[5]}" ]]; then
|
||||||
install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
|
install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
|
||||||
fi
|
fi
|
||||||
cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel/." "${airootfs_dir}${passwd[5]}"
|
cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel/." "${airootfs_dir}${passwd[5]}"
|
||||||
chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
|
chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
|
||||||
chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
|
chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
|
||||||
|
else
|
||||||
|
_msg_error "Failed to set permissions on '${airootfs_dir}${passwd[5]}'. Outside of valid path." 1
|
||||||
|
fi
|
||||||
done < "${profile}/airootfs/etc/passwd"
|
done < "${profile}/airootfs/etc/passwd"
|
||||||
_msg_info "Done!"
|
_msg_info "Done!"
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user