Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
nl6720
archiso
Commits
183ae527
Verified
Commit
183ae527
authored
Nov 30, 2020
by
nl6720
Browse files
Prevent path traversal outside of $airootfs_dir
parent
42d9e4f9
Pipeline
#3258
passed with stage
in 14 seconds
Changes
1
Pipelines
2
Hide whitespace changes
Inline
Side-by-side
archiso/mkarchiso
View file @
183ae527
...
...
@@ -268,11 +268,15 @@ _make_custom_airootfs() {
# Set ownership and mode for files and directories
for
filename
in
"
${
!file_permissions[@]
}
"
;
do
IFS
=
':'
read
-ra
permissions
<<<
"
${
file_permissions
[
"
${
filename
}
"
]
}
"
if
[[
-e
"
${
airootfs_dir
}${
filename
}
"
]]
;
then
chown
-fh
--
"
${
permissions
[0]
}
:
${
permissions
[1]
}
"
"
${
airootfs_dir
}${
filename
}
"
chmod
-f
--
"
${
permissions
[2]
}
"
"
${
airootfs_dir
}${
filename
}
"
else
# Prevent file path traversal outside of $airootfs_dir
if
[[
"
$(
realpath
-q
--
"
${
airootfs_dir
}${
filename
}
"
)
"
!=
"
${
airootfs_dir
}
"
*
]]
;
then
_msg_error
"Failed to set permissions on '
${
airootfs_dir
}${
filename
}
'. Outside of valid path."
1
# Warn if the file does not exist
elif
[[
!
-e
"
${
airootfs_dir
}${
filename
}
"
]]
;
then
_msg_warning
"Cannot change permissions of '
${
airootfs_dir
}${
filename
}
'. The file or directory does not exist."
else
echo chown
-fh
--
"
${
permissions
[0]
}
:
${
permissions
[1]
}
"
"
${
airootfs_dir
}${
filename
}
"
echo chmod
-f
--
"
${
permissions
[2]
}
"
"
${
airootfs_dir
}${
filename
}
"
fi
done
_msg_info
"Done!"
...
...
@@ -309,15 +313,22 @@ _make_customize_airootfs() {
if
[[
-e
"
${
profile
}
/airootfs/etc/passwd"
]]
;
then
_msg_info
"Copying /etc/skel/* to user homes..."
while
IFS
=
':'
read
-a
passwd
-r
;
do
# Only operate on UIDs in range 1000–59999
((
passwd[2]
>=
1000
&&
passwd[2] < 60000
))
||
continue
# Skip invalid home directories
[[
"
${
passwd
[5]
}
"
==
'/'
]]
&&
continue
[[
-z
"
${
passwd
[5]
}
"
]]
&&
continue
if
[[
!
-d
"
${
airootfs_dir
}${
passwd
[5]
}
"
]]
;
then
install
-d
-m
0750
-o
"
${
passwd
[2]
}
"
-g
"
${
passwd
[3]
}
"
--
"
${
airootfs_dir
}${
passwd
[5]
}
"
# Prevent path traversal outside of $airootfs_dir
if
[[
"
$(
realpath
-q
--
"
${
airootfs_dir
}${
passwd
[5]
}
"
)
"
==
"
${
airootfs_dir
}
"
*
]]
;
then
if
[[
!
-d
"
${
airootfs_dir
}${
passwd
[5]
}
"
]]
;
then
install
-d
-m
0750
-o
"
${
passwd
[2]
}
"
-g
"
${
passwd
[3]
}
"
--
"
${
airootfs_dir
}${
passwd
[5]
}
"
fi
cp
-dnRT
--preserve
=
mode,timestamps,links
--
"
${
airootfs_dir
}
/etc/skel/."
"
${
airootfs_dir
}${
passwd
[5]
}
"
chmod
-f
0750
--
"
${
airootfs_dir
}${
passwd
[5]
}
"
chown
-hR
--
"
${
passwd
[2]
}
:
${
passwd
[3]
}
"
"
${
airootfs_dir
}${
passwd
[5]
}
"
else
_msg_error
"Failed to set permissions on '
${
airootfs_dir
}${
passwd
[5]
}
'. Outside of valid path."
1
fi
cp
-dnRT
--preserve
=
mode,timestamps,links
--
"
${
airootfs_dir
}
/etc/skel/."
"
${
airootfs_dir
}${
passwd
[5]
}
"
chmod
-f
0750
--
"
${
airootfs_dir
}${
passwd
[5]
}
"
chown
-hR
--
"
${
passwd
[2]
}
:
${
passwd
[3]
}
"
"
${
airootfs_dir
}${
passwd
[5]
}
"
done
<
"
${
profile
}
/airootfs/etc/passwd"
_msg_info
"Done!"
fi
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment