From fc4531ff4556b1aa4d8bc058139a116630b61db7 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 8 Jul 2005 05:05:49 +0000 Subject: [PATCH] fixed security hole with world-open umask --- debian/postinst | 44 ++++++++++++++++++++++++++++++++++++++++++++ fail2ban.py | 4 +++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100755 debian/postinst diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 00000000..4f748078 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,44 @@ +#! /bin/sh +# postinst script for fail2ban +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure) + # To fix the bug in generated by previous version files permissions + LOG=/var/log/fail2ban.log + [ -f $LOG ] && chmod go-w $LOG + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/fail2ban.py b/fail2ban.py index 212ce7fa..98e9d96e 100755 --- a/fail2ban.py +++ b/fail2ban.py @@ -129,7 +129,9 @@ def createDaemon(): # to do this could make a filesystem unmountable. os.chdir("/") # Give the child complete control over permissions. - os.umask(0) + # yoh: BAD BAD BAD IDEA - generated files are writable by everybody + # changing to restrictive umask + os.umask(0022) else: os._exit(0) # Exit parent (the first child) of the second child. else: