Bug#600522: [pkg-cryptsetup-devel] Bug#600522: Better solution

Thu, 16 Dec 2010 08:27:15 -0800 

Hey,

On 12/12/2010 Raoul Bönisch wrote:
> Hi again again.
> 
> A way better solution might be this:
> 
> OWNER=$(ls -l "$key" | sed 
> 's/^[^[:space:]]\{10,12\}[[:space:]]\+[^[:space:]]\+[[:space:]]\+\([^[:space:]]\+\).*/\1/'
> 
> It's more future proof than the original method, cause it only
> looks at space and non-space characters and at most counts them.
> So any change in output which does not change space/non-space
> pattern will not make sed notice the user.

thanks for the suggestion. i fixed it another way in the meantime. the
syntax now allows + and . as trailing characters for selinux. to be
honest, i don't like the implementation at all, there really should be a
better way to detect ownership and permissions of a file with only /bin
and /sbin being available.

see the attached patch, it should fix the issue for you. it's already
applied to cryptsetup debian package svn repository.

greetings,
 jonas

247,253d246
< 	# stat is unfortunately in /usr/bin...
< 	OMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}//')
< 	GMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')
< 	GROUP=$(ls -l "$key" | sed 's/^.\{11\}[^[:space:]]* [^[:space:]]* \([^[:space:]]*\).*/\1/')
< 	# regex needs to work if keyfile has xattrs - https://launchpad.net/bugs/231339
< 	OWNER=$(ls -l "$key" | sed 's/^.\{10\}[+]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
< 
260c253,254
< 	# Check owner
---
> 	# Check ownership of $key
> 	OWNER=$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
269a264,269
> 	# Check owner group of $key
> 	GROUP=$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
> 	if [ "$GROUP" != "root" ]; then
> 		log_warning_msg "$dst: INSECURE OWNER GROUP FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
> 	fi
> 
271c271,273
< 	if [ "$OMODE" != "---" ] || [ "$GROUP" != "root" ] && [ "$GMODE" != "---" ]; then
---
> 	GMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')
> 	OMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')
> 	if [ "$GMODE" != "---" ] && [ "$OMODE" != "---" ]; then

Attachment: signature.asc
Description: Digital signature

Reply via email to